Cobbler will not start on RHEL 6.3 with SELINUX set to enforcing.  The traceback is:

 

[root@fiat Desktop]# service cobblerd restart

Stopping cobbler daemon:                                   [  OK  ]

Starting cobbler daemon: Traceback (most recent call last):

  File "/usr/bin/cobblerd", line 76, in main

    api = cobbler_api.BootAPI(is_cobblerd=True)

  File "/usr/lib/python2.6/site-packages/cobbler/api.py", line 127, in __init__

    module_loader.load_modules()

  File "/usr/lib/python2.6/site-packages/cobbler/module_loader.py", line 62, in load_modules

    blip =  __import__("modules.%s" % ( modname), globals(), locals(), [modname])

  File "/usr/lib/python2.6/site-packages/cobbler/modules/authn_pam.py", line 53, in <module>

    from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, sizeof

  File "/usr/lib64/python2.6/ctypes/__init__.py", line 546, in <module>

    CFUNCTYPE(c_int)(lambda: None)

MemoryError

                                                           [  OK  ]

 

SETROUBLESHOOT shows:

 

SELinux is preventing /usr/bin/python from 'execute' accesses on the file /var/tmp/ffi9tKgC2 (deleted).

 

*****  Plugin catchall (100. confidence) suggests  ***************************

 

If you believe that python should be allowed execute access on the ffi9tKgC2 (deleted) file by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp

 

Additional Information:

Source Context                unconfined_u:system_r:cobblerd_t:s0

Target Context                unconfined_u:object_r:cobbler_tmp_t:s0

Target Objects                /var/tmp/ffi9tKgC2 (deleted) [ file ]

Source                        cobblerd

Source Path                   /usr/bin/python

Port                          <Unknown>

Host                          (removed)

Source RPM Packages           python-2.6.6-29.el6_2.2.x86_64

Target RPM Packages          

Policy RPM                    selinux-policy-3.7.19-155.el6_3.noarch

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Host Name                     (removed)

Platform                      Linux fiat 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13

                              18:24:36 EDT 2012 x86_64 x86_64

Alert Count                   2

First Seen                    Mon 25 Jun 2012 09:17:11 AM EDT

Last Seen                     Mon 25 Jun 2012 09:17:11 AM EDT

Local ID                      0e7281c6-bac9-4508-86f0-37bcd3b981f3

 

Raw Audit Messages

type=AVC msg=audit(1340630231.422:38857): avc:  denied  { execute } for  pid=3237 comm="cobblerd" path=2F7661722F746D702F66666939744B674332202864656C6574656429 dev=dm-0 ino=1443260 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=unconfined_u:object_r:cobbler_tmp_t:s0 tclass=file

 

 

type=SYSCALL msg=audit(1340630231.422:38857): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=1000 a2=5 a3=1 items=0 ppid=3236 pid=3237 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)

 

Hash: cobblerd,cobblerd_t,cobbler_tmp_t,file,execute

 

audit2allow

 

#============= cobblerd_t ==============

allow cobblerd_t cobbler_tmp_t:file execute;

 

audit2allow -R

 

#============= cobblerd_t ==============

allow cobblerd_t cobbler_tmp_t:file execute;

 

and

 

SELinux is preventing /usr/bin/python from 'search' accesses on the directory /dev/shm/ffiJ5MZtf.

 

*****  Plugin restorecon (99.5 confidence) suggests  *************************

 

If you want to fix the label.

/dev/shm/ffiJ5MZtf default label should be device_t.

Then you can run restorecon.

Do

# /sbin/restorecon -v /dev/shm/ffiJ5MZtf

 

*****  Plugin catchall (1.49 confidence) suggests  ***************************

 

If you believe that python should be allowed search access on the ffiJ5MZtf directory by default.

Then you should report this as a bug.

You can generate a local policy module to allow this access.

Do

allow this access for now by executing:

# grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol

# semodule -i mypol.pp

 

Additional Information:

Source Context                unconfined_u:system_r:cobblerd_t:s0

Target Context                system_u:object_r:tmpfs_t:s0

Target Objects                /dev/shm/ffiJ5MZtf [ dir ]

Source                        cobblerd

Source Path                   /usr/bin/python

Port                          <Unknown>

Host                          (removed)

Source RPM Packages           python-2.6.6-29.el6_2.2.x86_64

Target RPM Packages          

Policy RPM                    selinux-policy-3.7.19-155.el6_3.noarch

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Host Name                     (removed)

Platform                      Linux (removed) 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13

                              18:24:36 EDT 2012 x86_64 x86_64

Alert Count                   1

First Seen                    Mon 25 Jun 2012 09:17:11 AM EDT

Last Seen                     Mon 25 Jun 2012 09:17:11 AM EDT

Local ID                      69c30a55-bcf2-4d0e-b97e-acbc91c0e3b7

 

Raw Audit Messages

type=AVC msg=audit(1340630231.422:38858): avc:  denied  { search } for  pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

 

 

type=AVC msg=audit(1340630231.422:38858): avc:  denied  { search } for  pid=3237 comm="cobblerd" name="/" dev=tmpfs ino=5440 scontext=unconfined_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir

 

 

type=SYSCALL msg=audit(1340630231.422:38858): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff4eaa8310 a1=c2 a2=180 a3=1 items=4 ppid=3236 pid=3237 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=cobblerd exe=/usr/bin/python subj=unconfined_u:system_r:cobblerd_t:s0 key=(null)

 

type=CWD msg=audit(1340630231.422:38858): cwd=/

 

type=PATH msg=audit(1340630231.422:38858): item=0 name=/dev/shm/ffiJ5MZtf

 

type=PATH msg=audit(1340630231.422:38858): item=1 name=(null) inode=5440 dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0

 

type=PATH msg=audit(1340630231.422:38858): item=2 name=/dev/shm/ffiJ5MZtf

 

type=PATH msg=audit(1340630231.422:38858): item=3 name=(null) inode=5440 dev=00:10 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmpfs_t:s0

 

Hash: cobblerd,cobblerd_t,tmpfs_t,dir,search

 

audit2allow

 

#============= cobblerd_t ==============

allow cobblerd_t tmpfs_t:dir search;

 

audit2allow -R

 

#============= cobblerd_t ==============

allow cobblerd_t tmpfs_t:dir search;

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Stuart J. Newman
Engineer 4; Systems

Solar Dynamics Observatory (SDO)

 

Honeywell Technology Solutions Inc

NASA/Goddard Space Flight Center

Building 14, Room E222

Mail Stop 428.2

Greenbelt, MD 20771

 

Office: (301) 286-5145

EMail: Stuart.J.Newman@nasa.gov

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed.  If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited.  Nothing in this email, including any attachment, is intended to be a legally binding signature.