Hi All,
It seems that the selinux policy for cobbler needs some updates:
#============= cobblerd_t ==============
allow cobblerd_t cert_t:dir search;
allow cobblerd_t cert_t:file { read getattr open };
allow cobblerd_t cert_t:lnk_file read;
allow cobblerd_t etc_t:file write;
allow cobblerd_t slapd_cert_t:dir { getattr search };
allow cobblerd_t slapd_cert_t:file { read getattr open };
allow cobblerd_t tftpdir_rw_t:dir rmdir;
allow cobblerd_t tftpdir_rw_t:file { getattr unlink };
The cert and slapd is for ldap authentication and is optional but should
probably be part of the policy. The tftpdir stuff I think should've been
included as a default, no?
Here's the audit2why output
[root@cobbler ~]# audit2why -li /var/log/audit/audit.log
type=AVC msg=audit(1422644949.550:25): avc: denied { getattr } for
pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:26): avc: denied { search } for
pid=1431 comm="cobblerd" name="pki" dev=dm-0 ino=786478
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:27): avc: denied { getattr } for
pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:28): avc: denied { getattr } for
pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.788:30): avc: denied { getattr } for
pid=1492 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.793:31): avc: denied { search } for
pid=1492 comm="cobblerd" name="certs" dev=dm-0 ino=786670
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.793:31): avc: denied { getattr } for
pid=1492 comm="cobblerd" path="/etc/openldap/certs/secmod.db" dev=dm-0
ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.794:32): avc: denied { read } for
pid=1492 comm="cobblerd" name="secmod.db" dev=dm-0 ino=786673
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.794:32): avc: denied { open } for
pid=1492 comm="cobblerd" name="secmod.db" dev=dm-0 ino=786673
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:33): avc: denied { search } for
pid=1492 comm="cobblerd" name="pki" dev=dm-0 ino=786478
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:33): avc: denied { read } for
pid=1492 comm="cobblerd" name="cert.pem" dev=dm-0 ino=786546
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:33): avc: denied { getattr } for
pid=1492 comm="cobblerd" path="/etc/pki/tls/certs/ca-bundle.crt"
dev=dm-0 ino=786548 scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:34): avc: denied { read } for
pid=1492 comm="cobblerd" name="ca-bundle.crt" dev=dm-0 ino=786548
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:34): avc: denied { open } for
pid=1492 comm="cobblerd" name="ca-bundle.crt" dev=dm-0 ino=786548
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655642.359:80): avc: denied { getattr } for
pid=1856 comm="cobblerd" path="/var/lib/tftpboot/boot/grub/menu.lst"
dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655642.359:81): avc: denied { unlink } for
pid=1856 comm="cobblerd" name="menu.lst" dev=dm-0 ino=2885601
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655844.922:83): avc: denied { getattr } for
pid=1869 comm="cobblerd" path="/var/lib/tftpboot/boot/grub/menu.lst"
dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655844.922:84): avc: denied { unlink } for
pid=1869 comm="cobblerd" name="menu.lst" dev=dm-0 ino=2885601
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655844.923:85): avc: denied { rmdir } for
pid=1869 comm="cobblerd" name="grub" dev=dm-0 ino=2885600
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422655845.677:86): avc: denied { write } for
pid=1869 comm="cobblerd" name="tftp" dev=dm-0 ino=787485
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
Cheers,
Harry
_______________________________________________
cobbler mailing list
cobbler@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/cobbler
