[Spacewalk-list] Create KS Distribution Error

Philipp Wehling philipp.wehling at megatel.de
Thu Feb 11 11:34:46 UTC 2016 

Hello, 

here the output with setenforce 1 

type=AVC msg=audit(1455190264.543:440): avc: denied { write } for pid=4095 comm="cobblerd" name="grub.cfg" dev="dm-3" ino=5509188 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file 

and the output with setenforce 0 

type=AVC msg=audit(1455190320.135:442): avc: denied { write } for pid=4158 comm="cobblerd" name="grub.cfg" dev="dm-3" ino=5509188 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file 

Please see the folder structure: 



# ll /mnt/distros/ 
total 18 
dr-xr-xr-x. 7 root root 4096 Aug 4 2015 CentOS6-x86_64 
dr-xr-xr-x. 8 root root 2048 Dec 10 00:03 CentOS7-x86_64 
drwxr-xr-x. 9 root root 4096 Nov 26 02:19 OracleLinux7-x86_64 
drwxr-xr-x. 7 root root 4096 Aug 17 20:56 SL6-x86_64 
drwxrwxr-x. 8 root root 4096 Apr 6 2015 SL7-x86_64 




All other Distributions work properly. 




I tried your solution with a test_tree-Folder but without success. 




Here is the output of journalctl: 




Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]: Plugin Exception restorecon_source 
Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]: SELinux is preventing /usr/bin/python2.7 from write access on the file grub.cfg. For complete SELinux messages. run sealert -l c 
Feb 11 12:32:01 spacewalk.ohb-system.de python[4161]: SELinux is preventing /usr/bin/python2.7 from write access on the file grub.cfg. 

***** Plugin catchall (100. confidence) suggests ************************** 

If you believe that python2.7 should be allowed write access on the grub.cfg file by default. 
Then you should report this as a bug. 
You can generate a local policy module to allow this access. 
Do 
allow this access for now by executing: 
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol 
# semodule -i mypol.pp 







kind regards, 

Philipp 
----- Original Message -----

From: "Jan Hutař" <jhutar at redhat.com> 
To: spacewalk-list at redhat.com 
Cc: "Philipp Wehling" <philipp.wehling at megatel.de> 
Sent: Thursday, February 11, 2016 6:25:36 AM 
Subject: Re: [Spacewalk-list] Create KS Distribution Error 

On Tue, 2 Feb 2016 14:47:12 +0100 (CET) Philipp Wehling 
<philipp.wehling at megatel.de> wrote: 

> Hello, 
> 
> I want to create an KS-Distribution for OracleLinux, but I get 
> this error: 
> 
> Exception: 
> javax.servlet.ServletException: java.lang.RuntimeException: 
> redstone.xmlrpc.XmlRpcFault: <type 'exceptions.IOError'>: 
> [Errno 13] Permission denied: 
> '/var/lib/tftpboot/aarch64/grub.cfg' 
> 
> 
> 
> Here are the permissions of this file: 
> 
> 
> 
> # ll /var/lib/tftpboot/aarch64/grub.cfg 
> -rw-r--r--. 1 root root 17 Jan 15 
> 11:07 /var/lib/tftpboot/aarch64/grub.cfg 
> 
> # ls -Z /var/lib/tftpboot/aarch64/grub.cfg 
> -rw-r--r--. root root 
> system_u:object_r:public_content_t:s0 /var/lib/tftpboot/aarch64/grub.cfg 

I believe Apache needs read permissions to the location from 
where you are importing. Can you try to put it to, 
say, /var/satellite/mine_ks_trees and make sure "apache" user 
can read it and SELinux is set with `restorecon 
-vR /var/satellite/mine_ks_trees`? Also 
`tail /var/log/audit/audit.log | grep AVC` to see any AVCs. 

> I think it is related to SELinux, but I dont want to turn it 
> off. Can anyone help me? 

To test if it is related, just turn it off temporarily 
(`setenforce 0` and once you are done with testing `setenforce 
1` and verify with `getenforce`). 

> kind regards, 
> 
> Philipp 

Thank you in advance, 
Jan 



-- 
Jan Hutar Systems Management QA 
jhutar at redhat.com Red Hat, Inc. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20160211/5bc82277/attachment.htm>

More information about the Spacewalk-list mailing list