SELinux implications of settings backup #3089

opoplawski · 2022-05-04T01:55:52Z

Describe the bug

When trying to write the settings backup file on Fedora/EL cobbler generates the following SELinux AVCs in permissive mode:

type=AVC msg=audit(1651628637.594:444): avc:  denied  { write } for  pid=27292 comm="cobblerd" name="cobbler" dev="dm-0" ino=713606 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1651628637.595:445): avc:  denied  { add_name } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1651628637.595:446): avc:  denied  { create } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1651628637.595:447): avc:  denied  { write } for  pid=27292 comm="cobblerd" path="/etc/cobbler/settings_20220503_19-43-57.yaml" dev="dm-0" ino=658751 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1651628637.595:448): avc:  denied  { setattr } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" dev="dm-0" ino=658751 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1

In general SELinux policies tend to prevent daemons from modifying their own config files. I can see the appeal of putting the backup in /etc/cobbler, but perhaps another location would be more correct.

Steps to reproduce

Install cobbler
setenforce 0
systemctl start cobblerd

Expected behavior

No SELinux AVCs

Cobbler version

Cobbler 3.3.2
  source: fed0a69, Sat Mar 12 09:53:49 2022 -0700
  build time: Wed May  4 00:00:00 2022

Operating system

Fedora

Cobbler log

[Daemon] 2022-05-03T19:43:57 - INFO | running: ['/usr/sbin/selinuxenabled']
[Daemon] 2022-05-03T19:43:57 - INFO | received on stdout: 
[Daemon] 2022-05-03T19:43:57 - DEBUG | received on stderr: 
[Daemon] 2022-05-03T19:43:57 - INFO | Automigration NOT executed
[Daemon] 2022-05-03T19:43:57 - INFO | python3-hivex not found. If you need Automatic Windows Installation support, please install.
[Daemon] 2022-05-03T19:43:58 - INFO | 11 breeds and 131 OS versions read from the signature file
[Daemon] 2022-05-03T19:43:58 - DEBUG | API handle initialized
[Daemon] 2022-05-03T19:43:58 - DEBUG | XMLRPC running on 25151
[Daemon] 2022-05-03T19:43:58 - INFO | Cobbler startup completed  in 1.6342766284942627 seconds
[Thread-4 (process_request_thread)] 2022-05-03T19:53:53 - INFO | REMOTE version; user(?)

The text was updated successfully, but these errors were encountered:

opoplawski · 2022-05-04T02:00:26Z

I also don't understand why settings.yml is being rewritten with both auto_migrate_settings and allow_dynamic_settings is false.

SchoolGuy · 2022-05-04T07:59:57Z

@opoplawski Which is the location you would like to put the backup in? Or rather which is the directory Fedora sees fit for such a thing?

In regard to your second question: We had a bug for this and it was fixed already - #2974

opoplawski added the Bug Report Reporting a bug label May 4, 2022

SchoolGuy added this to Cobbler Server May 4, 2022

SchoolGuy moved this to Todo in Cobbler Server May 4, 2022

SchoolGuy added the 3.3.2 Release 3.3.2 label May 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

SELinux implications of settings backup #3089

SELinux implications of settings backup #3089

Uh oh!

Uh oh!

Uh oh!

SELinux implications of settings backup #3089

SELinux implications of settings backup #3089

Comments

Describe the bug

Steps to reproduce

Expected behavior

Cobbler version

Operating system

Cobbler log

Uh oh!

Uh oh!