Bug 1214223
| Summary: | SELinux changes for Cockpit | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Marius Vollmer <mvollmer> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.1 | CC: | dperpeet, dwalsh, jaster, jscotka, lvrabec, mgrepl, mmalik, mvadkert, mvollmer, plautrba, pvrabec, ssekidde, stefw | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-28.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1233233 1268732 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 10:33:02 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1143927, 1233233, 1268732 | |||
The comment#0 contains AVCs for create, write and open operations. Please attach the AVC for unlink operation too: # ausearch -m avc -m user_avc -m selinux_err -i -ts today (In reply to Milos Malik from comment #3) > The comment#0 contains AVCs for create, write and open operations. Please > attach the AVC for unlink operation too: > > # ausearch -m avc -m user_avc -m selinux_err -i -ts today I think 'unlink' doesn't happen in our tests, and I don't know how to trigger it. (Also, we redirect the audit messages to the systemd journal. Can ausearch work with that?) The accesses are caused by libgssapi_krb5. Maybe there are some existing rules for programs that use libgssapi_krb5. Stef, do you know whether we need 'unlink'? > Stef, do you know whether we need 'unlink'?
I have no idea. It's deep in the bowels of GSSAPI. I would assume so.
FYI the upstream test provides the guidance to check this bug: test/check-realms TestNegotiate.testKerberos Current failure: AssertionError: 'HTTP/1.1 200 OK' not found in 'HTTP/1.1 401 Authentication required\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 104\r\n\r\nHTTP/1.1 401 Authentication failed\r\nWWW-Authenticate: Negotiate oXkwd6ADCgEConAEbmBsBgkqhkiG9xIBAgIDAH5dMFugAwIBBaEDAgEepBEYDzIwMTUwOTAzMDg1OTMwWqUFAgMB+/qmAwIBPKkNGwtDT0NLUElULkxBTqohMB+gAwIBAaEYMBYbBEhUVFAbDngwLmNvY2twaXQubGFu\r\nContent-Length: 100\r\n\r\n<html><head><title>401 Authentication failed</title></head><body>Authentication failed</body></html>' You can see that RHEL-7 is red here: http://files.cockpit-project.org/hubbot/ There are 2 cockpit policy modules: # ls -l /etc/selinux/targeted/modules/active/modules/cockpit.pp -rw-r--r--. 1 root root 12264 Sep 23 11:57 /etc/selinux/targeted/modules/active/modules/cockpit.pp # rpm -qf /etc/selinux/targeted/modules/active/modules/cockpit.pp selinux-policy-targeted-3.13.1-52.el7.noarch # ls -l /usr/share/selinux/targeted/cockpit.pp -rw-r--r--. 1 root root 127304 Aug 17 18:33 /usr/share/selinux/targeted/cockpit.pp # rpm -qf /usr/share/selinux/targeted/cockpit.pp cockpit-selinux-policy-0.71-1.el7.noarch # Now it depends on which of the packages is upgraded / installed as last. The TC passes when cockpit module (version 1.0.0) from selinux-policy package is loaded. The TC fails when cockpit module (version 1.9.0) from cockpit-selinux-policy package is loaded. Is it possible to merge those cockpit policy modules? Most of the changes have been merged. I think this is the last one. Once they have been merged, we do not need to build cockpit-selinux-policy on RHEL any longer. What needs to be merged? I believe we are up-to-date. In this phase we have two policies with the same name which is wrong and could cause troubles. @QE: If cockpit-selinux-policy package is not installed at all then the TC passes. If cockpit-selinux-policy package is installed, you have to remove it and reinstall selinux-policy-targeted package, which provides cockpit.pp, and the TC passes too. @devel: I believe that all necessary rules / context were already merged. (In reply to Milos Malik from comment #13) > @QE: > If cockpit-selinux-policy package is not installed at all then the TC passes. > If cockpit-selinux-policy package is installed, you have to remove it and > reinstall selinux-policy-targeted package, which provides cockpit.pp, and > the TC passes too. That's correct because we have two same modules. > > @devel: I believe that all necessary rules / context were already merged. Yes, I agree. Moving back to correct state Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2300.html |
The integration tests of Cockpit trigger these messages: type=1400 audit(1429694589.393:6): avc: denied { create } for pid=2580 comm="cockpit-session" name="HTTP_0" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=1400 audit(1429694589.394:7): avc: denied { write open } for pid=2580 comm="cockpit-session" path="/var/tmp/HTTP_0" dev="vda" ino=230782 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file I think this fragment is needed, but I know nothing about SELinux: # cockpit-session does these when authenticating via GSSAPI allow cockpit_session_t tmp_t:file { create write open unlink };