Bug 703813

Summary: RFE: let cobbler run puppetca (puppet cert)
Product: [Fedora] Fedora Reporter: Cristian Ciupitu <cristian.ciupitu>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: domg444, dwalsh, mgrepl, shenson
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-46.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-30 00:33:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
mycobbler.te
none
mypuppet.te
none
ausearch --start 14:39:55 --end 14:49:19
none
patch proposal for puppetca none

Description Cristian Ciupitu 2011-05-11 10:24:13 UTC 
Description of problem:
One of the features of cobbler 2.0.11 is puppet integration. Now cobbler can manage (sign & remove) puppet certificates automatically. This is done by running the executable mentioned in the puppetca_path setting, the default being /usr/sbin/puppetca. Because puppetca is run inside cobbler's domain, it won't work because of SELinux denials.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-40.fc14.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Configure cobbler to use these settings:
puppet_auto_setup: 1
sign_puppet_certs_automatically: 1
puppetca_path: "/usr/sbin/puppetca"
remove_old_puppet_certs_automatically: 1
2. Install a machine using cobbler.
  
Actual results:
SELinux denials.

Expected results:
puppetca should run without any SELinux denials.

Additional info:
Fedora and EPEL provide an old version of puppet. The latest version (2.6) uses git style subcommands, i.e. "puppet cert". "puppetca" is still provided, but it's obsolete.

dgrift is helping me to write a policy, so I might attach a proposal in a couple of days.
Comment 1 Dominick Grift 2011-05-11 10:31:06 UTC 
We will probably end up allowing cobblerd_t to run puppetca or puppet cert in the cobblerd_t domain. (either corecmd_exec_bin or puppet_exec_puppetca)

Because although we can confine puppetca, we have not yet determined whether it makes sense to confine it. Besides that; it will probably not be a good idea to confine the puppet command, which will be used in newer versions to sign systems (puppet cert)

So this report is a little pre-mature.
Comment 2 Miroslav Grepl 2011-05-11 11:05:27 UTC 
Could you attach AVC msgs which you are getting?

But I believe we will agree with Dominic to make it working with cobblerd_t domain.
Comment 3 Cristian Ciupitu 2011-05-11 11:11:19 UTC 
It will take some time to digg through the logs in order to get them, but I'll try. I'll also add the current custom policy.
Comment 4 Cristian Ciupitu 2011-05-11 11:25:07 UTC 
Created attachment 498258 [details]
mycobbler.te

Credit goes to dgrift.
Comment 5 Cristian Ciupitu 2011-05-11 11:26:02 UTC 
Created attachment 498259 [details]
mypuppet.te

Credit goes to dgrift.

You will also need to run:  chcon -t puppetca_exec_t /usr/sbin/puppetca  .
Comment 6 Dominick Grift 2011-05-11 11:30:46 UTC 
I guess we can implemented a boolean like "cobbler_can_sign_with_puppetca" or somthing along those lines. Then add the policy specific to cobblerca to the boolean block.

The AVC denials are coming soon.

Were de-installing our policy , resetting and running it in permissive mode to collect them.
Comment 7 Cristian Ciupitu 2011-05-11 11:52:23 UTC 
Created attachment 498269 [details]
ausearch --start 14:39:55 --end 14:49:19

getenforce -> Permissive
No custom modules.

Wed May 11 14:39:55 EEST 2011 start daemons
Wed May 11 14:41:12 EEST 2011 cobbler sync
Wed May 11 14:41:32 EEST 2011 KVM VM network install
Wed May 11 14:49:19 EEST 2011 the end
Comment 8 Cristian Ciupitu 2011-05-11 15:16:29 UTC 
I forgot to mention that all testing was done with puppet-server-2.6.8-0.1.rc1.fc14.noarch which is not available in Fedora's repositories yet, only in tmz's repositories.
Comment 9 Daniel Walsh 2011-05-11 22:14:51 UTC 
I would think we should add policy for puppetca.
Comment 10 Dominick Grift 2011-05-12 09:28:43 UTC 
Created attachment 498491 [details]
patch proposal for puppetca

Enclosed is a patch proposal. It has some controversial policy though. Comments welcome.
Comment 11 Daniel Walsh 2011-05-24 17:40:41 UTC 
Dominic, I like the puppetca stuff, but the execute stuff I think should be replaced with access_check.
Comment 12 Miroslav Grepl 2011-10-07 19:42:09 UTC 
I need to backport all F15, F16 puppet changes to F14.
Comment 13 Miroslav Grepl 2011-10-20 08:00:53 UTC 
Fixed in selinux-policy-3.9.7-46.fc14
Comment 14 Fedora Update System 2011-10-20 11:57:58 UTC 
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Comment 15 Fedora Update System 2011-10-22 08:21:14 UTC 
Package selinux-policy-3.9.7-46.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14734
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2011-10-30 00:33:56 UTC 
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.