Bug 1098244

Summary: [Rubygem-Staypuft]: SELinux avc: denied when running staypuft-installer - comm="ruby" path="/sbin/iptables-multi-1.4.7.
Product: Red Hat OpenStack Reporter: Omri Hochman <ohochman>
Component: rubygem-staypuftAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Omri Hochman <ohochman>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: aberezin, lzap, mburns, mlopes, morazi, mtaylor, sclewis
Target Milestone: z1Keywords: TestOnly, ZStream
Target Release: Installer   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, SELinux policy was missing entries for certain new plug-ins. This resulted in AVC denials being observed in the audit.log file. This fix updates the Foreman SELinux policy, with the result that related denial entries should no longer be seen in the audit.log.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-01 13:24:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1093126    
Attachments:
Description Flags
messages
none
audit.log from staypuft-installer
none
Output of ps -xauwwwZ associated with mtaylor_staypuft-installer_audit.log
none
mburns-audit-log
none
audit.log
none
ps auxwwwZ none

Description Omri Hochman 2014-05-15 14:43:11 UTC 
[Rubygem-Staypuft]: SELinux avc: denied when running staypuft-installer - comm="ruby" path="/sbin/iptables-multi-1.4.7.


Environment  (puddle : OpenStack/Foreman/2014-05-06.6/) 
-------------------------------------------------------
ruby193-rubygem-staypuft-0.0.12-1.el6ost.noarch
foreman-installer-staypuft-0.0.10-1.el6ost.noarch
openstack-puppet-modules-2013.2-9.1.el6ost.noarch
puppet-server-3.3.2-2.el6.noarch
puppet-3.3.2-2.el6.noarch
foreman-1.5.0.22-1.el6sat.noarch

[foreman ~]# rpm -qa | grep iptables
iptables-ipv6-1.4.7-11.el6.x86_64
iptables-1.4.7-11.el6.x86_64

[foreman ~]# rpm -qa | grep selinux
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
foreman-selinux-1.5.0-0.develop.el6sat.noarch
libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-231.el6_5.1.noarch
selinux-policy-targeted-3.7.19-231.el6_5.1.noarch

Steps:
-------
1)  Verify SELinux enables (setenforce 1)
2)  Attempt to install staypuft running  "staypuft-installer"
3)  Check /var/log/messages. 

Results:
---------


/var/log/messages : 
------------------------------------------------------------
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'socket' is deprecated. Use '@socket' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:5
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:5:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'pidfile' is deprecated. Use '@pidfile' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:9
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:9:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'socket' is deprecated. Use '@socket' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:10
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:10:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'port' is deprecated. Use '@port' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:11
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:11:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'basedir' is deprecated. Use '@basedir' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:12
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:12:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'datadir' is deprecated. Use '@datadir' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:13
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:13:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'bind_address' is deprecated. Use '@bind_address' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.
erb]:17
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:17:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'bind_address' is deprecated. Use '@bind_address' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.
erb]:18
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:18:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'log_error' is deprecated. Use '@log_error' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:2
8
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:28:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'default_engine' is deprecated. Use '@default_engine' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.
cnf.erb]:31
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:31:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'default_engine' is deprecated. Use '@default_engine' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.
cnf.erb]:32
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:32:in `result')
May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'ssl' is deprecated. Use '@ssl' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:34
May 15 11:35:00 oh-havana-foreman puppet-master[32245]:    (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:34:in `result')
May 15 11:35:02 oh-havana-foreman puppet-master[32245]: (Scope(Class[Keystone])) token_format parameter is deprecated. Use token_provider instead.
May 15 11:35:04 oh-havana-foreman puppet-master[32245]: (Scope(Class[Nova])) sql_connection deprecated for database_connection
May 15 11:35:07 oh-havana-foreman puppet-master[32245]: Variable access via 'pipeline' is deprecated. Use '@pipeline' instead. template[inline]:2
May 15 11:35:07 oh-havana-foreman puppet-master[32245]:    (at (erb):2:in `result')
May 15 11:35:08 oh-havana-foreman puppet-master[32245]: (Scope(Class[Swift::Proxy::Proxy-logging])) swift::proxy::proxy-logging is deprecated. Use swift::proxy::proxy_logging instead.
May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.818:390): avc:  denied  { getattr } for  pid=32245 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system
_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.818:391): avc:  denied  { execute } for  pid=32245 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:392): avc:  denied  { read open } for  pid=950 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:393): avc:  denied  { execute_no_trans } for  pid=950 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
May 15 11:35:14 oh-havana-foreman puppet-master[32245]: Variable access via 'tcp_port' is deprecated. Use '@tcp_port' instead. template[/etc/puppet/environments/production/modules/memcached/templates/memcached_sysconfig.erb]:1
Comment 1 Omri Hochman 2014-05-15 14:44:15 UTC 
Created attachment 895963 [details]
messages
Comment 3 Lukas Zapletal 2014-05-16 11:33:54 UTC 
Those logs are cut off, can we get whole lines?

May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:392): avc:  denied  { read open } for  pid=950 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas

its passenger_something...
Comment 4 Lukas Zapletal 2014-05-16 11:35:59 UTC 
Please add this as well:

ps -xauwwwZ
Comment 6 Martyn Taylor 2014-05-16 16:41:53 UTC 
Tested staypuft-install with the latest foreman-selinux build from here: http://koji.katello.org/koji/buildinfo?buildID=9803

I am getting the following AVC denied:

# tail -f /var/log/audit/audit.log | grep AVC
type=AVC msg=audit(1400258033.035:164): avc:  denied  { relabelto } for  pid=8510 comm="ruby" name="yaml" dev=dm-0 ino=537367 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1400258033.076:165): avc:  denied  { relabelto } for  pid=8510 comm="ruby" name="masterhttp.log" dev=dm-0 ino=536269 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file
type=AVC msg=audit(1400258033.337:166): avc:  denied  { relabelto } for  pid=8510 comm="ruby" name="ca_crt.pem" dev=dm-0 ino=536250 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1400258050.395:167): avc:  denied  { write } for  pid=8914 comm="ruby" name="dynflow_socket" dev=dm-0 ino=282452 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1400258050.395:167): avc:  denied  { connectto } for  pid=8914 comm="ruby" path="/var/run/foreman/sockets/dynflow_socket" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Comment 7 Martyn Taylor 2014-05-16 16:45:14 UTC 
Created attachment 896468 [details]
audit.log from staypuft-installer
Comment 8 Martyn Taylor 2014-05-16 16:47:14 UTC 
Created attachment 896469 [details]
Output of ps -xauwwwZ associated with mtaylor_staypuft-installer_audit.log
Comment 10 Lukas Zapletal 2014-05-19 16:43:22 UTC 
I am not sure about the relabel stuff, but I will fix the dynflow_socket issue in the next foreman-selinux build.
Comment 11 Lukas Zapletal 2014-05-22 11:02:08 UTC 
I am working on brand new policy for foreman-tasks plugin which was missing. Unfortunately this plugin is the most complicated one in regard to selinux - it has two new processes, socket and also new directory.

Filed upstream bug: http://projects.theforeman.org/issues/5870

I will need to update both foreman-selinux packages and foreman-tasks package.
Comment 12 Mike Burns 2014-05-22 13:17:27 UTC 
Created attachment 898390 [details]
mburns-audit-log

set permissive
run staypuft-installer
configure deployment
start deployment
<end>
Comment 13 Lukas Zapletal 2014-05-22 16:03:26 UTC 
Okay I have to admit I tool wrong approach, to fix this issue it is NOT necessary to write policy for foreman-tasks. Although I prepared already this policy and I will finish this effort:

https://github.com/theforeman/foreman-tasks/pull/54
http://koji.katello.org/koji/taskinfo?taskID=111800

I created new issue:

http://projects.theforeman.org/issues/5882

and temporary fix:

https://github.com/theforeman/foreman-selinux/pull/17
Comment 15 Lukas Zapletal 2014-05-23 11:10:45 UTC 
Okay I am putting this back to POST because I am not finished with the fix yet, it is going under upstream review right now.

Please disregard comment 13, I was able to write brand new foreman-tasks policy and also fix the relabelto three denials.

Upstream changes that contain necessary work to get rid of these denials:

https://github.com/theforeman/foreman-tasks/pull/54
https://github.com/theforeman/foreman-selinux/pull/18 (not yet merged)

Upstream builds:

http://koji.katello.org/koji/taskinfo?taskID=111800
http://koji.katello.org/koji/taskinfo?taskID=112021
Comment 17 Mike Burns 2014-05-23 12:52:16 UTC 
*** Bug 1092980 has been marked as a duplicate of this bug. ***
Comment 18 Mike Burns 2014-05-23 12:58:52 UTC 
Using RHEL 6.5 + latest foreman puddle (20140522.2) and the packages mention above, I'm still getting passenger avc denials.  

Moving back to assigned
Comment 19 Lukas Zapletal 2014-05-23 13:17:52 UTC 
Last note: The upstream fix does fix the socket denial, does not fix the three puppet ones. I filed another issue for it, it's a different one we need to solve:

http://projects.theforeman.org/issues/5910

This will require some changes in a way how we call puppet/puppet master, I need to discuss this upstream and find a proper way to fix this.
Comment 20 Mike Burns 2014-05-27 13:47:14 UTC 
Created attachment 899508 [details]
audit.log

with latest upstream build:  http://koji.katello.org/koji/taskinfo?taskID=113026

run through full installation successful
when configuring a deployment using staypuft, a single AVC showed up, but I am unable to reproduce it within the same installation

# audit2why -wa
type=AVC msg=audit(1401197569.085:2565): avc:  denied  { name_bind } for  pid=9349 comm="ruby" src=17659 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
	Was caused by:
	The boolean allow_ypbind was set incorrectly. 
	Description:
	Allow system to run with NIS

	Allow access by executing:
	# setsebool -P allow_ypbind 1
Comment 21 Mike Burns 2014-05-27 13:48:03 UTC 
Created attachment 899509 [details]
ps auxwwwZ
Comment 24 Lukas Zapletal 2014-05-29 12:25:14 UTC 
FIY for the last denial I've opened another upstream issue report:

http://projects.theforeman.org/issues/5981
Comment 25 Lukas Zapletal 2014-05-30 10:20:17 UTC 
The fix was merged upstream: https://github.com/theforeman/foreman-selinux/pull/18

This build does contain the necessary changes:

http://koji.katello.org/koji/buildinfo?buildID=10897
Comment 27 Omri Hochman 2014-09-15 06:23:34 UTC 
Verified with :
---------------
ruby193-rubygem-staypuft-0.3.4-2.el6ost.noarch
rhel-osp-installer-0.3.4-3.el6ost.noarch
foreman-selinux-1.6.0.14-1.el6sat.noarch
selinux-policy-3.7.19-231.el6.noarch
Comment 29 errata-xmlrpc 2014-10-01 13:24:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1350.html