Hi All, It seems that the selinux policy for cobbler needs some updates:
#============= cobblerd_t ============== allow cobblerd_t cert_t:dir search; allow cobblerd_t cert_t:file { read getattr open }; allow cobblerd_t cert_t:lnk_file read; allow cobblerd_t etc_t:file write; allow cobblerd_t slapd_cert_t:dir { getattr search }; allow cobblerd_t slapd_cert_t:file { read getattr open }; allow cobblerd_t tftpdir_rw_t:dir rmdir; allow cobblerd_t tftpdir_rw_t:file { getattr unlink }; The cert and slapd is for ldap authentication and is optional but should probably be part of the policy. The tftpdir stuff I think should've been included as a default, no? Here's the audit2why output [root@cobbler ~]# audit2why -li /var/log/audit/audit.log type=AVC msg=audit(1422644949.550:25): avc: denied { getattr } for pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:26): avc: denied { search } for pid=1431 comm="cobblerd" name="pki" dev=dm-0 ino=786478 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:27): avc: denied { getattr } for pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:28): avc: denied { getattr } for pid=1431 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.788:30): avc: denied { getattr } for pid=1492 comm="cobblerd" path="/etc/openldap/certs" dev=dm-0 ino=786670 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.793:31): avc: denied { search } for pid=1492 comm="cobblerd" name="certs" dev=dm-0 ino=786670 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.793:31): avc: denied { getattr } for pid=1492 comm="cobblerd" path="/etc/openldap/certs/secmod.db" dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.794:32): avc: denied { read } for pid=1492 comm="cobblerd" name="secmod.db" dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.794:32): avc: denied { open } for pid=1492 comm="cobblerd" name="secmod.db" dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:33): avc: denied { search } for pid=1492 comm="cobblerd" name="pki" dev=dm-0 ino=786478 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:33): avc: denied { read } for pid=1492 comm="cobblerd" name="cert.pem" dev=dm-0 ino=786546 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=lnk_file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:33): avc: denied { getattr } for pid=1492 comm="cobblerd" path="/etc/pki/tls/certs/ca-bundle.crt" dev=dm-0 ino=786548 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:34): avc: denied { read } for pid=1492 comm="cobblerd" name="ca-bundle.crt" dev=dm-0 ino=786548 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:34): avc: denied { open } for pid=1492 comm="cobblerd" name="ca-bundle.crt" dev=dm-0 ino=786548 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655642.359:80): avc: denied { getattr } for pid=1856 comm="cobblerd" path="/var/lib/tftpboot/boot/grub/menu.lst" dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655642.359:81): avc: denied { unlink } for pid=1856 comm="cobblerd" name="menu.lst" dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655844.922:83): avc: denied { getattr } for pid=1869 comm="cobblerd" path="/var/lib/tftpboot/boot/grub/menu.lst" dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655844.922:84): avc: denied { unlink } for pid=1869 comm="cobblerd" name="menu.lst" dev=dm-0 ino=2885601 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655844.923:85): avc: denied { rmdir } for pid=1869 comm="cobblerd" name="grub" dev=dm-0 ino=2885600 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422655845.677:86): avc: denied { write } for pid=1869 comm="cobblerd" name="tftp" dev=dm-0 ino=787485 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Cheers, Harry _______________________________________________ cobbler mailing list cobbler@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler