On Mon, Dec 15, 2008 at 08:33:24AM -0500, Michael DeHaan wrote:
Anton Arapov wrote:
> On Fri, Dec 12, 2008 at 11:49:47PM +0100, Anton Arapov wrote:
> [..snip..]
>
>>
node=bandura.englab.brq.redhat.com type=AVC msg=audit(1229121538.953:228):
>> avc: denied { read write } for pid=22082 comm="semanage"
path="socket:[96400]" dev=sockfs ino=96400
>> scontext=unconfined_u:unconfined_r:semanage_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tclass=tcp_socket , have no idea ... this hits just by adding
>> .call(semanage). I tried to reproduce
>> it in test script, and everything works just fine.
>>
>> Usually, such things solved by:
>> fcntl(socket, F_SETFD, FD_CLOEXEC),
>> but it's python, and I do not see any sockets using,... evenmore, I do not
see
>> why we need 'import socket' in app.py and utils.py, I think they could
be
>> easily removed. ...
>>
>
> [code]
> ...
> url = "http://%s:80/cobbler_api" % (server)
> self.xmlrpc_server = ServerProxy(url)
> self.xmlrpc_server.get_profiles()
> ...
> [/code]
>
> xmlrpc_server is the descriptor SELinux complaints about.
>
> Not sure how to fix it. I'm not familiar well with this lib so far.
> Don't you know if it possible to use it 'on demand', when we need
> something from xmlrpc - connect and
> disconnect at the end of operation?
> -- Anton
>
>
Cobbler's use of xmlrpclib is no different than any other python
library, of which we have many that use xmlrpclib -- it probably points
at something fundamental that needs to be fixed in SELinux if it's
complaining about simple socket usage.
Agreed.
Michal, I'm going to send the patch with semanage inside, it will
be functional for 100%, with only complaint from SELinux. This
benefit us, and me personally =), by working virtual machine after
reboot.
Also, it will be easier to bugreport to SELinux developers, I'll
give them the link to koan's git with comments.
Does it sound good to you?
--Michael
--
-Anton