[cobbler] cobbler and selinux

[Mezei Zoltan]

Hi,

I'm trying to get cobbler working with selinux.


Environment:

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 (Santiago)
# rpm -qv cobbler
cobbler-2.2.2-1.el6.noarch
# rpm -qv selinux-policy-targeted
selinux-policy-targeted-3.7.19-126.el6_2.10.noarch
# rpm -qv policycoreutils-python
policycoreutils-python-2.0.83-19.21.el6_2.x86_64

The cobbler rpm came from the stable branch of EPEL, all other
packages are the latest official RedHat ones.


First cobbler check...

I ran cobbler check in permissive mode and ended up with the following module:

module local 1.0;

require {
        type security_t;
        type var_lock_t;
        type semanage_store_t;
        type cobblerd_t;
        type default_context_t;
        type proc_net_t;
        type file_context_t;
        type semanage_read_lock_t;
        class capability { net_admin net_raw };
        class netlink_audit_socket create;
        class dir { read write search };
        class file { getattr read lock open };
        class rawip_socket { getopt create };
}

allow cobblerd_t security_t:dir read;
allow cobblerd_t default_context_t:dir search;
allow cobblerd_t file_context_t:dir search;
allow cobblerd_t proc_net_t:file { read getattr open };
allow cobblerd_t self:capability { net_admin net_raw };
allow cobblerd_t self:netlink_audit_socket create;
allow cobblerd_t self:rawip_socket { getopt create };
allow cobblerd_t semanage_read_lock_t:file { read lock open };

allow cobblerd_t semanage_store_t:dir { read write search };
allow cobblerd_t semanage_store_t:file { read getattr open };
allow cobblerd_t var_lock_t:dir search;
allow cobblerd_t var_lock_t:file getattr;

Installing this module makes the various AVCs during cobbler check
disappear. However, cobbler.log still contains some errors:

Fri May 18 14:44:12 2012 - DEBUG | REMOTE CLI Authorized; user(?)
Fri May 18 14:44:12 2012 - INFO | check
Fri May 18 14:44:12 2012 - INFO | running: /usr/sbin/getsebool -a
Fri May 18 14:44:12 2012 - INFO | received on stdout:
Fri May 18 14:44:12 2012 - DEBUG | received on stderr:
Fri May 18 14:44:12 2012 - INFO | running: /usr/sbin/semanage fcontext
-l | grep public_content_t
Fri May 18 14:44:12 2012 - INFO | received on stdout:
Fri May 18 14:44:12 2012 - DEBUG | received on stderr: /bin/sh:
/usr/sbin/semanage: Permission denied

Fri May 18 14:44:12 2012 - INFO | running: /usr/sbin/semanage fcontext
-l | grep httpd_sys_content_rw_t
Fri May 18 14:44:12 2012 - INFO | received on stdout:
Fri May 18 14:44:12 2012 - DEBUG | received on stderr: /bin/sh:
/usr/sbin/semanage: Permission denied

Fri May 18 14:44:12 2012 - INFO | running: httpd -v
Fri May 18 14:44:12 2012 - INFO | received on stdout:
Fri May 18 14:44:12 2012 - DEBUG | received on stderr: /bin/sh: httpd:
command not found

Fri May 18 14:44:12 2012 - DEBUG | get_items; ['repo']
Fri May 18 14:44:12 2012 - DEBUG | done with get_items; ['repo']
Fri May 18 14:44:12 2012 - DEBUG | get_items; ['profile']
Fri May 18 14:44:12 2012 - DEBUG | done with get_items; ['profile']

It seems that cobbler is not able to execute the various binary tools
that it want to execute when selinux is set to enforcing. In
permissive mode, everything works flawlessly.

Admitting that I'm a noob with both cobbler and selinux, what could I
do to make this setup work?
-- 
Zizi

"...nálatok a cégnél múltból nagyon sok van..."
_______________________________________________
cobbler mailing list
cobbler@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/cobbler