[cobbler] SELINUX denials cobbler-2.6.7-1
Hi All, It seems that the selinux policy for cobbler needs some updates: #= cobblerd_t == allow cobblerd_t cert_t:dir search; allow cobblerd_t cert_t:file { read getattr open }; allow cobblerd_t cert_t:lnk_file read; allow cobblerd_t etc_t:file write; allow cobblerd_t slapd_cert_t:dir { getattr search }; allow cobblerd_t slapd_cert_t:file { read getattr open }; allow cobblerd_t tftpdir_rw_t:dir rmdir; allow cobblerd_t tftpdir_rw_t:file { getattr unlink }; The cert and slapd is for ldap authentication and is optional but should probably be part of the policy. The tftpdir stuff I think should've been included as a default, no? Here's the audit2why output [root@cobbler ~]# audit2why -li /var/log/audit/audit.log type=AVC msg=audit(1422644949.550:25): avc: denied { getattr } for pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:26): avc: denied { search } for pid=1431 comm=cobblerd name=pki dev=dm-0 ino=786478 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:27): avc: denied { getattr } for pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422644949.587:28): avc: denied { getattr } for pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.788:30): avc: denied { getattr } for pid=1492 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.793:31): avc: denied { search } for pid=1492 comm=cobblerd name=certs dev=dm-0 ino=786670 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.793:31): avc: denied { getattr } for pid=1492 comm=cobblerd path=/etc/openldap/certs/secmod.db dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.794:32): avc: denied { read } for pid=1492 comm=cobblerd name=secmod.db dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.794:32): avc: denied { open } for pid=1492 comm=cobblerd name=secmod.db dev=dm-0 ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:33): avc: denied { search } for pid=1492 comm=cobblerd name=pki dev=dm-0 ino=786478 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1422645107.833:33): avc: denied { read } for pid=1492 comm=cobblerd name=cert.pem dev=dm-0 ino=786546 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cert_t:s0
Re: [cobbler] SELINUX denials cobbler-2.6.7-1
On 01/30/2015 03:15 PM, Harry Hoffman wrote: Hi All, It seems that the selinux policy for cobbler needs some updates: You don't indicate what OS, but for Fedora/RHEL policy is in the selinux-policy component so you'll want to file a bug against that. There are already some open ones: https://bugzilla.redhat.com/buglist.cgi?quicksearch=%3Aselinux-policy%20cobblerlist_id=3199475 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA DivisionFAX: 303-415-9702 3380 Mitchell Lane or...@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ___ cobbler mailing list cobbler@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler