Bug 1777263

Summary: puppet and|or certmonger trigger SELinux AVC
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: openstack-selinuxAssignee: Cédric Jeanneret <cjeanner>
Status: CLOSED ERRATA QA Contact: Julie Pichon <jpichon>
Severity: high Docs Contact:
Priority: high    
Version: 16.0 (Train)CC: jpichon, lhh, lvrabec, zcaplovi
Target Milestone: betaKeywords: Triaged
Target Release: 16.0 (Train on RHEL 8.1)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.20-0.20191128201822.e19dabc.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-06 14:42:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cédric Jeanneret 2019-11-27 10:07:08 UTC 
Description of problem:
type=PROCTITLE msg=audit(11/27/2019 09:26:29.654:7887) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml certmonger_ca 
type=SYSCALL msg=audit(11/27/2019 09:26:29.654:7887) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x63cde8 a1=0x7ffd10abada0 a2=0x7ffd10abada0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12093 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.654:7887) : avc:  denied  { search } for  pid=12093 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.719:7888) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml container_cli docker 
type=SYSCALL msg=audit(11/27/2019 09:26:29.719:7888) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x2550d88 a1=0x7ffffa5c96f0 a2=0x7ffffa5c96f0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12095 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.719:7888) : avc:  denied  { search } for  pid=12095 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.787:7889) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir 
type=SYSCALL msg=audit(11/27/2019 09:26:29.787:7889) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xf18d90 a1=0x7ffc8b7255c0 a2=0x7ffc8b7255c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.787:7889) : avc:  denied  { search } for  pid=12097 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.853:7890) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir 
type=SYSCALL msg=audit(11/27/2019 09:26:29.853:7890) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xb48df0 a1=0x7ffe08af6430 a2=0x7ffe08af6430 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12099 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.853:7890) : avc:  denied  { search } for  pid=12099 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.919:7891) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate 
type=SYSCALL msg=audit(11/27/2019 09:26:29.919:7891) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x1548df0 a1=0x7fff5cf3e5c0 a2=0x7fff5cf3e5c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.919:7891) : avc:  denied  { search } for  pid=12101 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
openstack-selinux-0.8.20-0.20191125094339.a4fcc2c.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy osp-16 undercloud|director with internal CA
2. Check /var/log/audit/audit.log
3.

Actual results:
We get a bunch of denials related to certmonger and puppet


Expected results:
No AVC

Additional info:
The following parameters are set in the undercloud.conf, in the DEFAULT section:
generate_service_certificate = True
certificate_generation_ca = local

The provided output is generated using `cat /var/log/audit/audit.log | ausearch -i | less' and searching for "denied" string.

We might want to allow certmonger_t to manage file patterns on puppet_etc_t ? Not really sure of the potential implications.
Comment 1 Cédric Jeanneret 2019-11-27 12:32:03 UTC 
ok, since it's read-only, we can use the nice read_file_pattern (and add the "search" for directories). Providing a PR shortly.
Comment 5 Cédric Jeanneret 2020-01-06 07:35:00 UTC 
Hello Julie,

Would you be able to verify this one? It wouldn't make much sense if I verify it, would it? :)

Thanks!

C.
Comment 6 Julie Pichon 2020-01-06 13:33:26 UTC 
I don't have the resources to check on a working environment, but I can do a sanity check and also have confidence based on the testing we did at the time.

Verified using openstack-selinux-0.8.20-0.20191220123532.2f2c423.el8ost.
Comment 9 errata-xmlrpc 2020-02-06 14:42:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283