[Spacewalk-list] Create KS Distribution Error
Jan Hutař
jhutar at redhat.com
Thu Feb 11 12:44:30 UTC 2016
On Thu, 11 Feb 2016 12:34:46 +0100 (CET) Philipp Wehling
<philipp.wehling at megatel.de> wrote:
> Hello,
>
> here the output with setenforce 1
>
> type=AVC msg=audit(1455190264.543:440): avc: denied { write }
> for pid=4095 comm="cobblerd" name="grub.cfg" dev="dm-3"
> ino=5509188 scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
>
> and the output with setenforce 0
>
> type=AVC msg=audit(1455190320.135:442): avc: denied { write }
> for pid=4158 comm="cobblerd" name="grub.cfg" dev="dm-3"
> ino=5509188 scontext=system_u:system_r:cobblerd_t:s0
> tcontext=system_u:object_r:public_content_t:s0 tclass=file
Yep, the message will be there even in the permissive, but did
it worked?
That AVC complains that SELinux denied write to file with inode
5509188. Find it with:
# find / -mount -inum 5509188
and then check SELinux context of it, its containing folder and
so on. Also please try to run `restorecon -vR directory` on the
containing directory and test again.
Regards,
Jan
> Please see the folder structure:
>
>
>
> # ll /mnt/distros/
> total 18
> dr-xr-xr-x. 7 root root 4096 Aug 4 2015 CentOS6-x86_64
> dr-xr-xr-x. 8 root root 2048 Dec 10 00:03 CentOS7-x86_64
> drwxr-xr-x. 9 root root 4096 Nov 26 02:19 OracleLinux7-x86_64
> drwxr-xr-x. 7 root root 4096 Aug 17 20:56 SL6-x86_64
> drwxrwxr-x. 8 root root 4096 Apr 6 2015 SL7-x86_64
>
>
>
>
> All other Distributions work properly.
>
>
>
>
> I tried your solution with a test_tree-Folder but without
> success.
>
>
>
>
> Here is the output of journalctl:
>
>
>
>
> Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]:
> Plugin Exception restorecon_source Feb 11 12:32:01
> spacewalk.ohb-system.de setroubleshoot[4161]: SELinux is
> preventing /usr/bin/python2.7 from write access on the file
> grub.cfg. For complete SELinux messages. run sealert -l c Feb
> 11 12:32:01 spacewalk.ohb-system.de python[4161]: SELinux is
> preventing /usr/bin/python2.7 from write access on the file
> grub.cfg.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that python2.7 should be allowed write access
> on the grub.cfg file by default. Then you should report this
> as a bug. You can generate a local policy module to allow this
> access. Do
> allow this access for now by executing:
> # grep cobblerd /var/log/audit/audit.log | audit2allow -M
> # mypol semodule -i mypol.pp
>
>
>
>
>
>
>
> kind regards,
>
> Philipp
> ----- Original Message -----
>
> From: "Jan Hutař" <jhutar at redhat.com>
> To: spacewalk-list at redhat.com
> Cc: "Philipp Wehling" <philipp.wehling at megatel.de>
> Sent: Thursday, February 11, 2016 6:25:36 AM
> Subject: Re: [Spacewalk-list] Create KS Distribution Error
>
> On Tue, 2 Feb 2016 14:47:12 +0100 (CET) Philipp Wehling
> <philipp.wehling at megatel.de> wrote:
>
> > Hello,
> >
> > I want to create an KS-Distribution for OracleLinux, but I
> > get this error:
> >
> > Exception:
> > javax.servlet.ServletException: java.lang.RuntimeException:
> > redstone.xmlrpc.XmlRpcFault: <type 'exceptions.IOError'>:
> > [Errno 13] Permission denied:
> > '/var/lib/tftpboot/aarch64/grub.cfg'
> >
> >
> >
> > Here are the permissions of this file:
> >
> >
> >
> > # ll /var/lib/tftpboot/aarch64/grub.cfg
> > -rw-r--r--. 1 root root 17 Jan 15
> > 11:07 /var/lib/tftpboot/aarch64/grub.cfg
> >
> > # ls -Z /var/lib/tftpboot/aarch64/grub.cfg
> > -rw-r--r--. root root
> > system_u:object_r:public_content_t:s0 /var/lib/tftpboot/aarch64/grub.cfg
>
> I believe Apache needs read permissions to the location from
> where you are importing. Can you try to put it to,
> say, /var/satellite/mine_ks_trees and make sure "apache" user
> can read it and SELinux is set with `restorecon
> -vR /var/satellite/mine_ks_trees`? Also
> `tail /var/log/audit/audit.log | grep AVC` to see any AVCs.
>
> > I think it is related to SELinux, but I dont want to turn it
> > off. Can anyone help me?
>
> To test if it is related, just turn it off temporarily
> (`setenforce 0` and once you are done with testing `setenforce
> 1` and verify with `getenforce`).
>
> > kind regards,
> >
> > Philipp
>
> Thank you in advance,
> Jan
>
>
>
> --
> Jan Hutar Systems Management QA
> jhutar at redhat.com Red Hat, Inc.
>
--
Jan Hutar Systems Management QA
jhutar at redhat.com Red Hat, Inc.
More information about the Spacewalk-list
mailing list