Centos – How to configure SELinux on Centos 6 for cobbler

centoscentos6cobblerselinux

I have installed and configured Cobbler on my centos 6 "installation server". From what I think I did all the configurations I'm supposed to. The installation was performed with my own customized python script that can be found here. But basically it's imports, repo add, profile add, reposync and other standard commands.

During the installation SELinux was in permissive mode, and added lots of stuff to the /var/log/audit/audit.log.

After the installation I did execute the following to generate SELinux rules.

    cat /var/log/audit/audit.log | audit2allow -m sycocobbler

Which gave me.

    module sycocobbler 1.0;

    require {
      type semanage_store_t;
      type syslogd_t;
      type sysfs_t;
      type var_lock_t;
      type rpm_var_cache_t;
      type httpd_sys_content_t;
      type proc_net_t;
      type file_context_t;
      type semanage_read_lock_t;
      type lib_t;
      type sysctl_modprobe_t;
      type security_t;
      type cobblerd_t;
      type modules_conf_t;
      type rpm_var_lib_t;
      type tftpdir_rw_t;
      type modules_dep_t;
      type devlog_t;
      type sysctl_kernel_t;
      type modules_object_t;
      type default_context_t;
      class rawip_socket { getopt create };
      class capability { net_admin net_raw fsetid sys_ptrace };
      class file { rename setattr read lock create write getattr unlink open };
      class netlink_audit_socket create;
      class sock_file { write getattr };
      class lnk_file { read create getattr };
      class unix_dgram_socket { create connect sendto };
      class dir { rename search setattr read create write getattr rmdir remove_name open add_name };
    }

    #============= cobblerd_t ==============
    allow cobblerd_t default_context_t:dir search;
    allow cobblerd_t devlog_t:sock_file { write getattr };
    allow cobblerd_t file_context_t:dir search;
    #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
    # cobbler_var_lib_t, tftpdir_rw_t, cobbler_cache_t, httpd_cobbler_rw_content_t, public_content_rw_t

    allow cobblerd_t httpd_sys_content_t:dir { rename write rmdir setattr remove_name create add_name };
    allow cobblerd_t httpd_sys_content_t:file { write rename create unlink setattr };
    #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
    # var_lib_t, var_log_t, named_zone_t, var_t, cobbler_var_lib_t, tftpdir_rw_t, etc_t, cobbler_cache_t, httpd_cobbler_rw_content_t, public_content_rw_t, root_t

    allow cobblerd_t lib_t:dir { write remove_name add_name };
    allow cobblerd_t lib_t:file { write create unlink };
    allow cobblerd_t modules_conf_t:dir { read search open };
    allow cobblerd_t modules_conf_t:file { read getattr open };
    allow cobblerd_t modules_dep_t:file { read getattr open };
    allow cobblerd_t modules_object_t:dir search;
    allow cobblerd_t modules_object_t:file { read open };
    allow cobblerd_t proc_net_t:file { read getattr open };
    #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
    # cobbler_var_lib_t, tftpdir_rw_t, cobbler_cache_t, httpd_cobbler_rw_content_t, public_content_rw_t

    allow cobblerd_t rpm_var_cache_t:dir { search read create write getattr remove_name open add_name };
    allow cobblerd_t rpm_var_cache_t:file { rename create unlink open setattr };
    #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
    # var_lib_t, var_log_t, named_zone_t, cobbler_var_log_t, var_t, cobbler_var_lib_t, tftpdir_rw_t, etc_t, cobbler_cache_t, httpd_cobbler_rw_content_t, public_content_rw_t, root_t

    allow cobblerd_t rpm_var_lib_t:dir { write search getattr };
    allow cobblerd_t rpm_var_lib_t:file open;
    allow cobblerd_t security_t:dir read;
    allow cobblerd_t self:capability { net_admin net_raw fsetid sys_ptrace };
    allow cobblerd_t self:netlink_audit_socket create;
    allow cobblerd_t self:rawip_socket { getopt create };
    allow cobblerd_t self:unix_dgram_socket { create connect };
    allow cobblerd_t semanage_read_lock_t:file { read lock open };
    #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
    # var_lib_t, var_log_t, named_zone_t, var_t, cobbler_var_lib_t, tftpdir_rw_t, etc_t, cobbler_cache_t, httpd_cobbler_rw_content_t, public_content_rw_t, root_t

    allow cobblerd_t semanage_store_t:dir { read write search };
    allow cobblerd_t semanage_store_t:file { read getattr open };
    allow cobblerd_t sysctl_kernel_t:dir search;
    allow cobblerd_t sysctl_modprobe_t:file read;
    allow cobblerd_t sysfs_t:dir { search getattr };
    allow cobblerd_t sysfs_t:file { read getattr open };
    allow cobblerd_t syslogd_t:unix_dgram_socket sendto;
    allow cobblerd_t tftpdir_rw_t:lnk_file { read create getattr };
    allow cobblerd_t var_lock_t:dir search;
    allow cobblerd_t var_lock_t:file getattr;

Am I supposed to add this to the SELinux policy? Or is it any official policy that I have missed? Is the above correct, my current SELinux skills are not good enough determine that.

Best Answer

As I mentioned in this answer, redirect the SELinux rules to a file which is called cobbler.te.

You can compile it with:

# checkmodule -M -m -o cobbler.mod cobbler.te

then create module package and install by executing:

# semodule_package -m cobbler.mod -o cobbler.pp 
# semodule -i cobbler.pp

Related Solutions

Centos – rsyslog-thesql on CentOS 5.3 does not have permission to access the thesql.sock

Woo!!

So I was very close with the semodule solution... It actually kind of worked but I'm not 100% sure why. I rebooted the server and reloaded the semodule out of frustration. selinux is enabled and I'm seeing system messages show up in the database.

Hopefully this will help someone else if they stumble across it. Good luck!

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

# semanage fcontext -a -t public_content_rw_t "/myftp/pub(/.*)?"

Be sure to include the (/.*)? at the end of the directory name.

I also tried to use audit2allow to generate a policy, but what it does is generate a policy that gives ftpd write access to directories of type public_content_t; this is equivalent to turning on allow_ftpd_full_access, if I understood it correctly

Essentially, yes; since SELinux allows directories/files labeled with public_content_t to be shared between different services. However, further access control is in place through the use of sebooleans (or sebool, more precisely).

Giving "ftpd full access", doesn't mean giving it the rights to do/read/write what and where it wants. SELinux has designated policies in place for the services on your system; meaning, ftpd is allowed to read files if the directory's file context (fcontext) is public_content_t. SELinux gives write permissions to the ftp server if the directory's fcontext is public_content_rw_t; other services such as samba, apache, etc. have to be allowed write permissions to those directories through the booleans, according to the pertaining RedHat Documentation. If your "local policy" gives ftpd write access in directories labelled public_content_t, it essentially strips away a layer of security. Therefore, I suggest labeling the directory with the public_content_rw_t context, and removing your custom generated local policy.

For further information and details, please see the SELinux wiki pages.

Best Answer

Related Solutions

Centos – rsyslog-thesql on CentOS 5.3 does not have permission to access the thesql.sock

Ftp – How to tell SELinux to give vsftpd write access in a specific directory

Related Topic