[cobbler] Cobbler 2.2.3-2 does no0t start on RHEL 6.3

[Newman, Stuart J. (GSFC-444.0)[HONEYWELL TECHNOLOGY SOLUTIONS INC]]

Cobbler will not start on RHEL 6.3 with SELINUX set to enforcing.  The 
traceback is:

[root@fiat Desktop]# service cobblerd restart
Stopping cobbler daemon:                                   [  OK  ]
Starting cobbler daemon: Traceback (most recent call last):
  File "/usr/bin/cobblerd", line 76, in main
    api = cobbler_api.BootAPI(is_cobblerd=True)
  File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__
    module_loader.load_modules()
  File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in 
load_modules
    blip =  __import__("modules.%s" % ( modname), globals(), locals(), 
[modname])
  File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 
53, in <module>
    from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, 
sizeof
  File "/usr/lib64/python2.6/ctypes/__init__.py", line 546, in <module>
    CFUNCTYPE(c_int)(lambda: None)
MemoryError
                                                           [  OK  ]

SETROUBLESHOOT shows:

SELinux is preventing /usr/bin/python from 'execute' accesses on the file 
/var/tmp/ffi9tKgC2 (deleted).

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python should be allowed execute access on the ffi9tKgC2 
(deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:cobblerd_t:s0
Target Context                unconfined_u:object_r:cobbler_tmp_t:s0
Target Objects                /var/tmp/ffi9tKgC2 (deleted) [ file ]
Source                        cobblerd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.6-29.el6_2.2.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-155.el6_3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux fiat 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13
                              18:24:36 EDT 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Mon 25 Jun 2012 09:17:11 AM EDT
Last Seen                     Mon 25 Jun 2012 09:17:11 AM EDT
Local ID                      0e7281c6-bac9-4508-86f0-37bcd3b981f3

Raw Audit Messages
type=AVC msg=audit(1340630231.422:38857): avc:  denied  { execute } for  
pid=3237 comm="cobblerd" 
path=2F7661722F746D702F66666939744B674332202864656C6574656429 dev=dm-0 
ino=1443260 scontext=unconfined_u:system_r:cobblerd_t:s0 
tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1340630231.422:38857): arch=x86_64 syscall=mmap 
success=no exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=3236 pid=3237 auid=0 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 
comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 
key=(null)

Hash: cobblerd,cobblerd_t,cobbler_tmp_t,file,execute

audit2allow

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;

audit2allow -R

#============= cobblerd_t ==============
allow cobblerd_t cobbler_tmp_t:file execute;

and

SELinux is preventing /usr/bin/python from 'search' accesses on the directory 
/dev/shm/ffiJ5MZtf.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label.
/dev/shm/ffiJ5MZtf default label should be device_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /dev/shm/ffiJ5MZtf

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that python should be allowed search access on the ffiJ5MZtf 
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:cobblerd_t:s0
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /dev/shm/ffiJ5MZtf [ dir ]
Source                        cobblerd
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.6-29.el6_2.2.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.7.19-155.el6_3.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.32-279.el6.x86_64 #1 SMP Wed 
Jun 13
                              18:24:36 EDT 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 25 Jun 2012 09:17:11 AM EDT
Last Seen                     Mon 25 Jun 2012 09:17:11 AM EDT
Local ID                      69c30a55-bcf2-4d0e-b97e-acbc91c0e3b7

Raw Audit Messages
type=AVC msg=audit(1340630231.422:38858): avc:  denied  { search } for  
pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 
scontext=unconfined_u:system_r:cobblerd_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir


type=AVC msg=audit(1340630231.422:38858): avc:  denied  { search } for  
pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 
scontext=unconfined_u:system_r:cobblerd_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1340630231.422:38858): arch=x86_64 syscall=open 
success=no exit=EACCES a0=7fff4eaa8310 a1=c2 a2=180 a3=1 items=4 ppid=3236 
pid=3237 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python 
subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)

type=CWD msg=audit(1340630231.422:38858): cwd=/

type=PATH msg=audit(1340630231.422:38858): item=0 name=/dev/shm/ffiJ5MZtf

type=PATH msg=audit(1340630231.422:38858): item=1 name=(null) inode=5440 
dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0

type=PATH msg=audit(1340630231.422:38858): item=2 name=/dev/shm/ffiJ5MZtf

type=PATH msg=audit(1340630231.422:38858): item=3 name=(null) inode=5440 
dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0

Hash: cobblerd,cobblerd_t,tmpfs_t,dir,search

audit2allow

#============= cobblerd_t ==============
allow cobblerd_t tmpfs_t:dir search;

audit2allow -R

#============= cobblerd_t ==============
allow cobblerd_t tmpfs_t:dir search;


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Stuart J. Newman
Engineer 4; Systems
Solar Dynamics Observatory (SDO)

Honeywell Technology Solutions Inc

NASA/Goddard Space Flight Center
Building 14, Room E222
Mail Stop 428.2
Greenbelt, MD 20771

Office: (301) 286-5145
EMail: stuart.j.new...@nasa.gov<mailto:stuart.j.new...@nasa.gov>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE: This communication, including any attachment, contains information that 
may be confidential or privileged, and is intended solely for the entity or 
individual to whom it is addressed.  If you are not the intended recipient, 
please notify the sender at once, and you should delete this message and are 
hereby notified that any disclosure, copying, or distribution of this message 
is strictly prohibited.  Nothing in this email, including any attachment, is 
intended to be a legally binding signature.


_______________________________________________
cobbler mailing list
cobbler@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler