[Spacewalk-list] Create KS Distribution Error

Jan Hutař jhutar at redhat.com
Thu Feb 11 12:44:30 UTC 2016 

On Thu, 11 Feb 2016 12:34:46 +0100 (CET) Philipp Wehling
<philipp.wehling at megatel.de> wrote:

> Hello, 
> 
> here the output with setenforce 1 
> 
> type=AVC msg=audit(1455190264.543:440): avc: denied { write }
> for pid=4095 comm="cobblerd" name="grub.cfg" dev="dm-3"
> ino=5509188 scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file 
> 
> and the output with setenforce 0 
> 
> type=AVC msg=audit(1455190320.135:442): avc: denied { write }
> for pid=4158 comm="cobblerd" name="grub.cfg" dev="dm-3"
> ino=5509188 scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file 

Yep, the message will be there even in the permissive, but did
it worked?

That AVC complains that SELinux denied write to file with inode
5509188. Find it with:

  # find / -mount -inum 5509188

and then check SELinux context of it, its containing folder and
so on. Also please try to run `restorecon -vR directory` on the
containing directory and test again.

Regards,
Jan



> Please see the folder structure: 
> 
> 
> 
> # ll /mnt/distros/ 
> total 18 
> dr-xr-xr-x. 7 root root 4096 Aug 4 2015 CentOS6-x86_64 
> dr-xr-xr-x. 8 root root 2048 Dec 10 00:03 CentOS7-x86_64 
> drwxr-xr-x. 9 root root 4096 Nov 26 02:19 OracleLinux7-x86_64 
> drwxr-xr-x. 7 root root 4096 Aug 17 20:56 SL6-x86_64 
> drwxrwxr-x. 8 root root 4096 Apr 6 2015 SL7-x86_64 
> 
> 
> 
> 
> All other Distributions work properly. 
> 
> 
> 
> 
> I tried your solution with a test_tree-Folder but without
> success. 
> 
> 
> 
> 
> Here is the output of journalctl: 
> 
> 
> 
> 
> Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]:
> Plugin Exception restorecon_source Feb 11 12:32:01
> spacewalk.ohb-system.de setroubleshoot[4161]: SELinux is
> preventing /usr/bin/python2.7 from write access on the file
> grub.cfg. For complete SELinux messages. run sealert -l c Feb
> 11 12:32:01 spacewalk.ohb-system.de python[4161]: SELinux is
> preventing /usr/bin/python2.7 from write access on the file
> grub.cfg. 
> 
> ***** Plugin catchall (100. confidence) suggests
> ************************** 
> 
> If you believe that python2.7 should be allowed write access
> on the grub.cfg file by default. Then you should report this
> as a bug. You can generate a local policy module to allow this
> access. Do 
> allow this access for now by executing: 
> # grep cobblerd /var/log/audit/audit.log | audit2allow -M
> # mypol semodule -i mypol.pp 
> 
> 
> 
> 
> 
> 
> 
> kind regards, 
> 
> Philipp 
> ----- Original Message -----
> 
> From: "Jan Hutař" <jhutar at redhat.com> 
> To: spacewalk-list at redhat.com 
> Cc: "Philipp Wehling" <philipp.wehling at megatel.de> 
> Sent: Thursday, February 11, 2016 6:25:36 AM 
> Subject: Re: [Spacewalk-list] Create KS Distribution Error 
> 
> On Tue, 2 Feb 2016 14:47:12 +0100 (CET) Philipp Wehling 
> <philipp.wehling at megatel.de> wrote: 
> 
> > Hello, 
> > 
> > I want to create an KS-Distribution for OracleLinux, but I
> > get this error: 
> > 
> > Exception: 
> > javax.servlet.ServletException: java.lang.RuntimeException: 
> > redstone.xmlrpc.XmlRpcFault: <type 'exceptions.IOError'>: 
> > [Errno 13] Permission denied: 
> > '/var/lib/tftpboot/aarch64/grub.cfg' 
> > 
> > 
> > 
> > Here are the permissions of this file: 
> > 
> > 
> > 
> > # ll /var/lib/tftpboot/aarch64/grub.cfg 
> > -rw-r--r--. 1 root root 17 Jan 15 
> > 11:07 /var/lib/tftpboot/aarch64/grub.cfg 
> > 
> > # ls -Z /var/lib/tftpboot/aarch64/grub.cfg 
> > -rw-r--r--. root root 
> > system_u:object_r:public_content_t:s0 /var/lib/tftpboot/aarch64/grub.cfg 
> 
> I believe Apache needs read permissions to the location from 
> where you are importing. Can you try to put it to, 
> say, /var/satellite/mine_ks_trees and make sure "apache" user 
> can read it and SELinux is set with `restorecon 
> -vR /var/satellite/mine_ks_trees`? Also 
> `tail /var/log/audit/audit.log | grep AVC` to see any AVCs. 
> 
> > I think it is related to SELinux, but I dont want to turn it 
> > off. Can anyone help me? 
> 
> To test if it is related, just turn it off temporarily 
> (`setenforce 0` and once you are done with testing `setenforce 
> 1` and verify with `getenforce`). 
> 
> > kind regards, 
> > 
> > Philipp 
> 
> Thank you in advance, 
> Jan 
> 
> 
> 
> -- 
> Jan Hutar Systems Management QA 
> jhutar at redhat.com Red Hat, Inc. 
> 


-- 
Jan Hutar     Systems Management QA
jhutar at redhat.com     Red Hat, Inc.

More information about the Spacewalk-list mailing list