[Spacewalk-list] Problem starting cobbler in CentOS 6.3

Thu Aug 9 13:15:13 UTC 2012

Hi all,

This is what I've been getting when trying to start cobbler in CentOS 6.3:

[root]# /etc/init.d/cobblerd start
Starting cobbler daemon: Traceback (most recent call last):
  File "/usr/bin/cobblerd", line 76, in main
    api = cobbler_api.BootAPI(is_cobblerd=True)
  File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__
    module_loader.load_modules()
  File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py",
line 62, in load_modules
    blip =  __import__("modules.%s" % ( modname), globals(), locals(),
[modname])
  File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py",
line 53, in <module>
    from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast,
pointer, sizeof
  File "/usr/lib64/python2.6/ctypes/__init__.py", line 546, in <module>
    CFUNCTYPE(c_int)(lambda: None)
MemoryError
                                                           [  OK  ]

[root]# /etc/init.d/cobblerd status
cobblerd dead but subsys locked

Looking for errors in SELinux, I found this:

--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/python from search access on the
directory /dev/shm.

*****  Plugin catchall (100. confidence) suggests  ***************************
If you believe that python should be allowed search access on the shm
directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/python from execute access on the file
/tmp/ffiS9Yrsn (deleted).

*****  Plugin catchall (100. confidence) suggests  ***************************
If you believe that python should be allowed execute access on the
ffiS9Yrsn (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
--------------------------------------------------------------------------------

I then put selinux in permissive mode and cobbler worked like a charm:

[root]# /etc/init.d/cobblerd restart
Stopping cobbler daemon:                                   [  OK  ]
Starting cobbler daemon:                                   [  OK  ]

Searching the net for the problem, i found this thread:
http://www.mail-archive.com/cobbler@lists.fedorahosted.org/msg07650.html.

Seems the trouble comes with cobbler package 2.2.3 and not with
previous versions.

The workaround given in the thread is to:

1.- Do the audit2allow thing: grep cobblerd /var/log/audit/audit.log |
audit2allow -M mypol && semodule -i mypol.pp

2.- Move (or remove) these files:
/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py
/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.pyc
/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.pyo

And so I did and now cobbler starts fine with SELinux in enforcing mode.

I am posting all this in case someone have the same problem, and to
ask a couple of questions about the workaround:

- does the 'audit2allow' thing survive a reboot?, is is something safe to do?
- I understand the deleted files (authn_pam) relate to pam and since
I'm not using it on spacewalk there is no problem removing them,
right?

Cheers!
Fred.

“Free software” is a matter of liberty, not price. To understand the
concept, you should think of “free” as in “free speech”, not as in
“free beer”.

Free software is a matter of the users' freedom to run, copy,
distribute, study, change and improve the software.