[cobbler] SELINUX denials cobbler-2.6.7-1
Hi All,
It seems that the selinux policy for cobbler needs some updates:
#= cobblerd_t ==
allow cobblerd_t cert_t:dir search;
allow cobblerd_t cert_t:file { read getattr open };
allow cobblerd_t cert_t:lnk_file read;
allow cobblerd_t etc_t:file write;
allow cobblerd_t slapd_cert_t:dir { getattr search };
allow cobblerd_t slapd_cert_t:file { read getattr open };
allow cobblerd_t tftpdir_rw_t:dir rmdir;
allow cobblerd_t tftpdir_rw_t:file { getattr unlink };
The cert and slapd is for ldap authentication and is optional but should
probably be part of the policy. The tftpdir stuff I think should've been
included as a default, no?
Here's the audit2why output
[root@cobbler ~]# audit2why -li /var/log/audit/audit.log
type=AVC msg=audit(1422644949.550:25): avc: denied { getattr } for
pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:26): avc: denied { search } for
pid=1431 comm=cobblerd name=pki dev=dm-0 ino=786478
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:27): avc: denied { getattr } for
pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422644949.587:28): avc: denied { getattr } for
pid=1431 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670
scontext=system_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.788:30): avc: denied { getattr } for
pid=1492 comm=cobblerd path=/etc/openldap/certs dev=dm-0 ino=786670
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.793:31): avc: denied { search } for
pid=1492 comm=cobblerd name=certs dev=dm-0 ino=786670
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.793:31): avc: denied { getattr } for
pid=1492 comm=cobblerd path=/etc/openldap/certs/secmod.db dev=dm-0
ino=786673 scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.794:32): avc: denied { read } for
pid=1492 comm=cobblerd name=secmod.db dev=dm-0 ino=786673
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.794:32): avc: denied { open } for
pid=1492 comm=cobblerd name=secmod.db dev=dm-0 ino=786673
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:slapd_cert_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:33): avc: denied { search } for
pid=1492 comm=cobblerd name=pki dev=dm-0 ino=786478
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow
this
access.
type=AVC msg=audit(1422645107.833:33): avc: denied { read } for
pid=1492 comm=cobblerd name=cert.pem dev=dm-0 ino=786546
scontext=unconfined_u:system_r:cobblerd_t:s0
tcontext=system_u:object_r:cert_t:s0
Re: [cobbler] SELINUX denials cobbler-2.6.7-1
On 01/30/2015 03:15 PM, Harry Hoffman wrote: Hi All, It seems that the selinux policy for cobbler needs some updates: You don't indicate what OS, but for Fedora/RHEL policy is in the selinux-policy component so you'll want to file a bug against that. There are already some open ones: https://bugzilla.redhat.com/buglist.cgi?quicksearch=%3Aselinux-policy%20cobblerlist_id=3199475 -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA/CoRA DivisionFAX: 303-415-9702 3380 Mitchell Lane or...@cora.nwra.com Boulder, CO 80301 http://www.cora.nwra.com ___ cobbler mailing list cobbler@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler
