Cobbler will not start on RHEL 6.3 with SELINUX set to enforcing. The traceback is:
[root@fiat Desktop]# service cobblerd restart Stopping cobbler daemon: [ OK ] Starting cobbler daemon: Traceback (most recent call last): File "/usr/bin/cobblerd", line 76, in main api = cobbler_api.BootAPI(is_cobblerd=True) File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__ module_loader.load_modules() File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in load_modules blip = __import__("modules.%s" % ( modname), globals(), locals(), [modname]) File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 53, in <module> from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, sizeof File "/usr/lib64/python2.6/ctypes/__init__.py", line 546, in <module> CFUNCTYPE(c_int)(lambda: None) MemoryError [ OK ] SETROUBLESHOOT shows: SELinux is preventing /usr/bin/python from 'execute' accesses on the file /var/tmp/ffi9tKgC2 (deleted). ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python should be allowed execute access on the ffi9tKgC2 (deleted) file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:cobblerd_t:s0 Target Context unconfined_u:object_r:cobbler_tmp_t:s0 Target Objects /var/tmp/ffi9tKgC2 (deleted) [ file ] Source cobblerd Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.6-29.el6_2.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.7.19-155.el6_3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux fiat 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 Alert Count 2 First Seen Mon 25 Jun 2012 09:17:11 AM EDT Last Seen Mon 25 Jun 2012 09:17:11 AM EDT Local ID 0e7281c6-bac9-4508-86f0-37bcd3b981f3 Raw Audit Messages type=AVC msg=audit(1340630231.422:38857): avc: denied { execute } for pid=3237 comm="cobblerd" path=2F7661722F746D702F66666939744B674332202864656C6574656429 dev=dm-0 ino=1443260 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1340630231.422:38857): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=3236 pid=3237 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) Hash: cobblerd,cobblerd_t,cobbler_tmp_t,file,execute audit2allow #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; audit2allow -R #============= cobblerd_t ============== allow cobblerd_t cobbler_tmp_t:file execute; and SELinux is preventing /usr/bin/python from 'search' accesses on the directory /dev/shm/ffiJ5MZtf. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /dev/shm/ffiJ5MZtf default label should be device_t. Then you can run restorecon. Do # /sbin/restorecon -v /dev/shm/ffiJ5MZtf ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that python should be allowed search access on the ffiJ5MZtf directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:cobblerd_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /dev/shm/ffiJ5MZtf [ dir ] Source cobblerd Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.6-29.el6_2.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.7.19-155.el6_3.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 Alert Count 1 First Seen Mon 25 Jun 2012 09:17:11 AM EDT Last Seen Mon 25 Jun 2012 09:17:11 AM EDT Local ID 69c30a55-bcf2-4d0e-b97e-acbc91c0e3b7 Raw Audit Messages type=AVC msg=audit(1340630231.422:38858): avc: denied { search } for pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=AVC msg=audit(1340630231.422:38858): avc: denied { search } for pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1340630231.422:38858): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff4eaa8310 a1=c2 a2=180 a3=1 items=4 ppid=3236 pid=3237 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null) type=CWD msg=audit(1340630231.422:38858): cwd=/ type=PATH msg=audit(1340630231.422:38858): item=0 name=/dev/shm/ffiJ5MZtf type=PATH msg=audit(1340630231.422:38858): item=1 name=(null) inode=5440 dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 type=PATH msg=audit(1340630231.422:38858): item=2 name=/dev/shm/ffiJ5MZtf type=PATH msg=audit(1340630231.422:38858): item=3 name=(null) inode=5440 dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0 Hash: cobblerd,cobblerd_t,tmpfs_t,dir,search audit2allow #============= cobblerd_t ============== allow cobblerd_t tmpfs_t:dir search; audit2allow -R #============= cobblerd_t ============== allow cobblerd_t tmpfs_t:dir search; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Stuart J. Newman Engineer 4; Systems Solar Dynamics Observatory (SDO) Honeywell Technology Solutions Inc NASA/Goddard Space Flight Center Building 14, Room E222 Mail Stop 428.2 Greenbelt, MD 20771 Office: (301) 286-5145 EMail: stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
_______________________________________________ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler