[Spacewalk-list] Create KS Distribution Error
Philipp Wehling
philipp.wehling at megatel.de
Thu Feb 11 11:34:46 UTC 2016
Hello,
here the output with setenforce 1
type=AVC msg=audit(1455190264.543:440): avc: denied { write } for pid=4095 comm="cobblerd" name="grub.cfg" dev="dm-3" ino=5509188 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file
and the output with setenforce 0
type=AVC msg=audit(1455190320.135:442): avc: denied { write } for pid=4158 comm="cobblerd" name="grub.cfg" dev="dm-3" ino=5509188 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file
Please see the folder structure:
# ll /mnt/distros/
total 18
dr-xr-xr-x. 7 root root 4096 Aug 4 2015 CentOS6-x86_64
dr-xr-xr-x. 8 root root 2048 Dec 10 00:03 CentOS7-x86_64
drwxr-xr-x. 9 root root 4096 Nov 26 02:19 OracleLinux7-x86_64
drwxr-xr-x. 7 root root 4096 Aug 17 20:56 SL6-x86_64
drwxrwxr-x. 8 root root 4096 Apr 6 2015 SL7-x86_64
All other Distributions work properly.
I tried your solution with a test_tree-Folder but without success.
Here is the output of journalctl:
Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]: Plugin Exception restorecon_source
Feb 11 12:32:01 spacewalk.ohb-system.de setroubleshoot[4161]: SELinux is preventing /usr/bin/python2.7 from write access on the file grub.cfg. For complete SELinux messages. run sealert -l c
Feb 11 12:32:01 spacewalk.ohb-system.de python[4161]: SELinux is preventing /usr/bin/python2.7 from write access on the file grub.cfg.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed write access on the grub.cfg file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
kind regards,
Philipp
----- Original Message -----
From: "Jan Hutař" <jhutar at redhat.com>
To: spacewalk-list at redhat.com
Cc: "Philipp Wehling" <philipp.wehling at megatel.de>
Sent: Thursday, February 11, 2016 6:25:36 AM
Subject: Re: [Spacewalk-list] Create KS Distribution Error
On Tue, 2 Feb 2016 14:47:12 +0100 (CET) Philipp Wehling
<philipp.wehling at megatel.de> wrote:
> Hello,
>
> I want to create an KS-Distribution for OracleLinux, but I get
> this error:
>
> Exception:
> javax.servlet.ServletException: java.lang.RuntimeException:
> redstone.xmlrpc.XmlRpcFault: <type 'exceptions.IOError'>:
> [Errno 13] Permission denied:
> '/var/lib/tftpboot/aarch64/grub.cfg'
>
>
>
> Here are the permissions of this file:
>
>
>
> # ll /var/lib/tftpboot/aarch64/grub.cfg
> -rw-r--r--. 1 root root 17 Jan 15
> 11:07 /var/lib/tftpboot/aarch64/grub.cfg
>
> # ls -Z /var/lib/tftpboot/aarch64/grub.cfg
> -rw-r--r--. root root
> system_u:object_r:public_content_t:s0 /var/lib/tftpboot/aarch64/grub.cfg
I believe Apache needs read permissions to the location from
where you are importing. Can you try to put it to,
say, /var/satellite/mine_ks_trees and make sure "apache" user
can read it and SELinux is set with `restorecon
-vR /var/satellite/mine_ks_trees`? Also
`tail /var/log/audit/audit.log | grep AVC` to see any AVCs.
> I think it is related to SELinux, but I dont want to turn it
> off. Can anyone help me?
To test if it is related, just turn it off temporarily
(`setenforce 0` and once you are done with testing `setenforce
1` and verify with `getenforce`).
> kind regards,
>
> Philipp
Thank you in advance,
Jan
--
Jan Hutar Systems Management QA
jhutar at redhat.com Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20160211/5bc82277/attachment.htm>
More information about the Spacewalk-list
mailing list