search

cobbler / cobbler

Cobbler is a versatile Linux deployment server
https://cobbler.github.io
GNU General Public License v2.0
2.61k stars 654 forks source link

SELinux implications of settings backup #3089

Open opoplawski opened 2 years ago

opoplawski commented 2 years ago

Describe the bug

When trying to write the settings backup file on Fedora/EL cobbler generates the following SELinux AVCs in permissive mode:

type=AVC msg=audit(1651628637.594:444): avc:  denied  { write } for  pid=27292 comm="cobblerd" name="cobbler" dev="dm-0" ino=713606 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1651628637.595:445): avc:  denied  { add_name } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1651628637.595:446): avc:  denied  { create } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1651628637.595:447): avc:  denied  { write } for  pid=27292 comm="cobblerd" path="/etc/cobbler/settings_20220503_19-43-57.yaml" dev="dm-0" ino=658751 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1651628637.595:448): avc:  denied  { setattr } for  pid=27292 comm="cobblerd" name="settings_20220503_19-43-57.yaml" dev="dm-0" ino=658751 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:cobbler_etc_t:s0 tclass=file permissive=1

In general SELinux policies tend to prevent daemons from modifying their own config files. I can see the appeal of putting the backup in /etc/cobbler, but perhaps another location would be more correct.

Steps to reproduce

  1. Install cobbler
  2. setenforce 0
  3. systemctl start cobblerd

Expected behavior

No SELinux AVCs

Cobbler version

Cobbler 3.3.2
  source: fed0a69, Sat Mar 12 09:53:49 2022 -0700
  build time: Wed May  4 00:00:00 2022

Operating system

Fedora

Cobbler log

[Daemon] 2022-05-03T19:43:57 - INFO | running: ['/usr/sbin/selinuxenabled']
[Daemon] 2022-05-03T19:43:57 - INFO | received on stdout: 
[Daemon] 2022-05-03T19:43:57 - DEBUG | received on stderr: 
[Daemon] 2022-05-03T19:43:57 - INFO | Automigration NOT executed
[Daemon] 2022-05-03T19:43:57 - INFO | python3-hivex not found. If you need Automatic Windows Installation support, please install.
[Daemon] 2022-05-03T19:43:58 - INFO | 11 breeds and 131 OS versions read from the signature file
[Daemon] 2022-05-03T19:43:58 - DEBUG | API handle initialized
[Daemon] 2022-05-03T19:43:58 - DEBUG | XMLRPC running on 25151
[Daemon] 2022-05-03T19:43:58 - INFO | Cobbler startup completed  in 1.6342766284942627 seconds
[Thread-4 (process_request_thread)] 2022-05-03T19:53:53 - INFO | REMOTE version; user(?)
opoplawski commented 2 years ago

I also don't understand why settings.yml is being rewritten with both auto_migrate_settings and allow_dynamic_settings is false.

SchoolGuy commented 2 years ago

@opoplawski Which is the location you would like to put the backup in? Or rather which is the directory Fedora sees fit for such a thing?

In regard to your second question: We had a bug for this and it was fixed already - https://github.com/cobbler/cobbler/pull/2974