Bug 1003630

Summary: ansible cannot be run with confined user and ssh since it create control socket in homedir
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.2.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-12 01:54:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael S. 2013-09-02 14:12:13 UTC
Ansible is a tool to manage remote server with ssh, and in order to speed up connexion, use ssh ControlMaster socket.

Since the fix for CVE-2013-4259 , Ansible create its ssh socket file in $HOME/.ansible/cp and no longer in /tmp, but when ansible is run by a confined user, the socket is not correctly labeled ( see 987554 ). 

This in turn trigger various AVC :

type=AVC msg=audit(1378130462.857:11603): avc:  denied  { write } for  pid=666 
comm="ssh" name="cp" dev="dm-3" ino=4226381 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir

type=AVC msg=audit(1378124017.022:11490): avc:  denied  { add_name } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root.TwUf7jkog91WSPpk" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir

type=AVC msg=audit(1378124017.022:11490): avc:  denied  { create } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root.TwUf7jkog91WSPpk" scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file

type=AVC msg=audit(1378124017.120:11491): avc:  denied  { link } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root.TwUf7jkog91WSPpk" dev="dm-3" ino=4226338 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file

type=AVC msg=audit(1378124017.120:11492): avc:  denied  { remove_name } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root.TwUf7jkog91WSPpk" dev="dm-3" ino=4226338 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir

type=AVC msg=audit(1378124017.120:11492): avc:  denied  { unlink } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root.TwUf7jkog91WSPpk" dev="dm-3" ino=4226338 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file

type=AVC msg=audit(1378124017.120:11493): avc:  denied  { write } for  pid=20216 comm="ssh" name="ansible-ssh-janedoe.usersys.example.com-22-root" dev="dm-3" ino=4226338 scontext=staff_u:staff_r:ssh_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=sock_file



Could the socket in $HOME/.ansible/cp be correctly labelled to be used as ssh socket ?

Comment 1 Daniel Walsh 2013-09-04 14:01:23 UTC
Would it make sense to label it ssh_home_t?

chcon -R -t ssh_home_t ~/.ansible

Comment 2 Michael S. 2013-09-04 16:50:08 UTC
I doubt, since there is more than ssh socket there. 
For example the default remote temporary directory is in ~/.ansible/tmp and i suspect that upstream may start to add more stuff there.

Comment 3 Daniel Walsh 2013-09-04 18:47:40 UTC
Well should .ansible be under ~/.config

Comment 4 Daniel Walsh 2013-09-04 18:49:06 UTC
Or can we get ansible to create the socket in ~/.ssh/

Comment 5 Daniel Walsh 2013-09-04 18:54:39 UTC
Or can we label ~/.ansible/cp as ssh_home_t.

Comment 6 Michael S. 2013-09-04 19:59:04 UTC
I vote for the 3rd option, no need to modify upstream configuration.

.ansible is not configuration, there is ~/.ansible.cfg for that. It could be under .local, but I suspect they want to support platform that predate the convention. I can ask to upstream to take a look at that bug if you want.

Comment 7 Daniel Walsh 2013-09-05 13:11:07 UTC
98126e4da70c2cd2a4853197fc43b7adb2d4f863 in git

adds a label for ssh_home_t in ansible subdir

HOME_DIR/\.ansible/cp/.*	-s	gen_context(system_u:object_r:ssh_home_t,s0)


Also allows ssh_t to create ssh_home_t sock_files in user_home_t directories.

Comment 8 Miroslav Grepl 2013-09-05 21:00:36 UTC
back ported.

Comment 9 Fedora Update System 2013-09-09 07:54:55 UTC
selinux-policy-3.12.1-74.2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.2.fc19

Comment 10 Fedora Update System 2013-09-09 23:57:51 UTC
Package selinux-policy-3.12.1-74.2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16231/selinux-policy-3.12.1-74.2.fc19
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-09-12 01:54:04 UTC
selinux-policy-3.12.1-74.2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.