Bug 1107673

Summary:	Puppet or puppetmaster sometimes changes file contexts
Product:	Red Hat Satellite	Reporter:	Bryan Kearney <bkearney>
Component:	SELinux	Assignee:	Lukas Zapletal <lzap>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Tazim Kolhar <tkolhar>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.0.3	CC:	bbuckingham, cwelton, jmontleo, lzap, tkolhar
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
URL:	http://projects.theforeman.org/issues/5910
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-09-11 12:23:12 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Bryan Kearney 2014-06-10 12:39:46 UTC

which is prevented by SELinux. This has something to do with selinux users and RHEL6. Discussion is here:

<pre>
14:56    lzap | dwalsh: https://gist.github.com/lzap/b2c29cd20da2a0d95459
14:57    lzap | dwalsh: mirek told me the other day I see relabelto because the process is touching xattrs most likely. whatever, I'd like to allow that, but
              | my rules do not apply for some reason
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14:58  dwalsh | lzap, You are relabeling a file to system_u:...  You are running as unconfined_u.  THere is a constraint that says you are not allowed to do
              | this unless you have a certain attribute.
14:58  dwalsh | scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0
14:58  dwalsh | Is passenger_t doing a setfilecon?
15:00  dwalsh | lzap, It looks like you ran passenger from an unconfined_u user,
15:00    lzap | oh
15:00    lzap | like started it from shell right?
15:01  dwalsh | lzap, I would not have a problem doing it.  We really do not enforce on user part of the label.
15:01  dwalsh | Did you do a runcon to get the service to start?
15:01    lzap | it was puppet who started that
15:01    lzap | puppet agent
15:01    lzap | but puppet stareted from openstack installer
15:01    lzap | and that was obviously started as root
15:02    lzap | but I'd expect when I'd do service start it would start normally
15:02    lzap | puppet is doing: service httpd start
15:02  dwalsh | is this RHEL6?
15:02    lzap | yes
15:02    lzap | 6.54
15:02    lzap | 6.5
15:03  dwalsh | Well puppet must have been running as unconfined_u which means someone restarted it.
15:03  dwalsh | In RHEL7 this would not be a problem because services would be started via systemd, which would be running as system_u.
15:04  dwalsh | domain_subj_id_change_exemption(passenger_t) would fix the problem. 
15:04  dwalsh | Most of the time passenger_t would run as system_u, since it would be started at boot time.  But if a user did a service restart, then I guess
              | this could happen.
15:05    lzap | so you are telling me that all services which are running under RHEL6 and are confined can go wrong as soon as root restarts them from a shell?
15:06  dwalsh | No only services that attempt to do built in SELinux calls.
15:06  dwalsh | Puppet must be doing a setfiles() call to change the label.
15:07    lzap | ok I will investigate this, but I'd not expect this there
15:07    lzap | it's a ruby app without any selinux support
15:07    lzap | I mean the upstream code
15:07    lzap | and I am not aware of any special handling in our startup scripts or something
15:08  dwalsh | We added selinux support to ruby a few years ago to be used with puppet.
15:08  dwalsh | Search the code for matchpathcon, and setfilecon.

</pre>

Comment 1 Bryan Kearney 2014-06-10 12:39:48 UTC

Created from redmine issue http://projects.theforeman.org/issues/5910

Comment 2 Bryan Kearney 2014-06-10 12:39:53 UTC

Upstream bug assigned to lzap

Comment 3 Bryan Kearney 2014-06-10 12:44:19 UTC

*** Bug 1107680 has been marked as a duplicate of this bug. ***

Comment 4 Bryan Kearney 2014-06-10 13:03:44 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/5910 has been closed

Comment 7 Tazim Kolhar 2014-08-27 12:21:46 UTC

please provide verification steps

Comment 8 Lukas Zapletal 2014-08-27 14:03:07 UTC

This patch was commited:

+domain_obj_id_change_exemption(passenger_t)

To verify, install Satellite 6 and verify there are no AVC denials. Please ignore this harmless one:

time->Wed Aug 27 09:15:56 2014
type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

Note the "load_policy" domain. We have a separate BZ for this.

Comment 9 Tazim Kolhar 2014-08-28 06:20:02 UTC

VERIFIED

able to install satellite 6 with no AVC denials

Comment 10 Bryan Kearney 2014-09-11 12:23:12 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.