Bug 1515499

Summary: sysadm users cannot execute 'puppet agent' command
Product: Red Hat Enterprise Linux 6 Reporter: Coby Isley <cisley>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: urgent    
Version: 6.9CC: cww, dwalsh, fkrska, lvrabec, mgrepl, mjahoda, mmalik, mthacker, plautrba, ssekidde, toneata
Target Milestone: rcKeywords: Regression, Reopened, Reproducer, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In Red Hat Enterprise Linux 6.9, the puppet module in the SELinux policy package had been restructured to follow Red Hat Enterprise Linux 7 puppet4 model, and the domain for the /usr/bin/puppet binary file had been set to 'puppet_exec_t`. As a consequence, SELinux denied executing the 'puppet agent' command for the 'sysadm_t' confined user. With this update, the missing domain transitions have been added, and `puppet agent` can be now successfully executed by 'sysadm_t' with SELinux in Enforcing mode.
 Story Points: ---
Clone Of:
: 1522745 1522765 (view as bug list) Environment:
Last Closed: 2018-06-19 05:11:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1374441, 1522745, 1522765    

Description Coby Isley 2017-11-20 22:41:18 UTC 
Description of problem:

SELinux policy version 3.7.19-306 appears to have restructured puppet module code to follow rhel7 puppet4 model, including changing /usr/bin/puppet binary to puppet_exec_t. 

It seems that introduced a regression where system administrators cannot execute 'puppet agent' command.  By default sysadm_t domain does not have transition rules to allow puppet to run in the puppet_t domain. Additional denials were generated because sysadmin_t does not have permissions to enter confined domains such as consoletype_t,  hostname_t, puppet_initrc_t etc to execute their 
respective commands. 

puppet_t does have permissions to enter those domains and run their  respective commands. Just like rhel7's version of the policy, 'puppet agent' command should
successfully transition to one of puppet's domain Instead of running in caller's domain. 

Following rhel7's model, rhel6's puppet module should export a couple of interfaces that would allow calling domain/role combination to transition to puppet_t domain.  Something like ..

########################################
## <summary>
##      Execute puppet in the puppet
##      domain.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`puppet_domtrans_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, puppet_exec_t, puppet_t)
')

#####################################
## <summary>
##      Execute puppet in the puppet
##      domain and allow the specified
##      role the puppet domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to transition.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`puppet_run_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        puppet_domtrans_puppet($1)
        role $2 types puppet_t;
')

With these interfaces, appropriate system administrators could be allowed to execute puppet.


Version-Release number of selected component (if applicable):

- SELinux policy version 3.7.19-306 


How reproducible:

- Each time


Steps to Reproduce:
1. Create a rhel6 system with the latest selinux-policy rpm.
2. Install and setup puppet
3. ssh into the system and become system administrator using "sudo -ir sysadm_r"  or login locally on the system as root in sysadm_r role.
4. Run "puppet agent --test --noop"


Actual results:
- Selinux is denying this interaction


Expected results:
- As this works in the later RHEL 7, RHEL 6 should ideally reflect this behavior as well.
Comment 12 Milos Malik 2017-12-06 09:33:14 UTC 
log in via ssh as staff_u user -> switch to sysadm_r via newrole -> switch to root via su -> run puppet agent --test --noop --server

Following SELinux denial appears after disabling dontaudit rules:
----
type=SYSCALL msg=audit(12/06/2017 04:28:33.553:351) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xb9a740 a1=0xbaf4e0 a2=0xba1390 a3=0x38 items=0 ppid=25156 pid=25576 auid=staffroot uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=17 comm=puppet exe=/usr/bin/ruby subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute_no_trans } for  pid=25576 comm=bash path=/usr/bin/puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute } for  pid=25576 comm=bash name=puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
----
Comment 19 errata-xmlrpc 2018-06-19 05:11:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1871