| Summary: | puppetmaster_t needs usermanage_domtrans_passwd | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ricky Zhou <rzhou> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | dominick.grift, dwalsh, geminic86, mgrepl, ricky, tcallawa | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.9.16-27.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-02-10 08:47:23 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Just as i suspected: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=aa44245b87c44597c81d106d12a201d50c58184b *** Bug 699330 has been marked as a duplicate of this bug. *** Ricky, could you just try to disable your local policy # semodule -d your_module # semanage permissive -a puppetmaster_t re-test it and run # ausearch -m avc -ts recent Created attachment 501762 [details]
puppetmaster avcs
Here's the output. The duplicate entries are because I'm running several instances of the puppetmaster process.
Looks like it is actually not running it in those avc denials but checking for execute (open X_ok) and its getting attributes of the chage executable file. If it was actually running chage we would also have seen an execute_no_trans avc denial. i think we need a:
usermanage_check_exec_passwd()
allow $1 passwd_exec_t:file { getattr_file_perms execute };
Ahh, good catch, that makes a lot more sense than actually executing chage (I was fooled by the "execute" in the denial message). I've confirmed that a policy with just
allow puppetmaster_t passwd_exec_t:file { getattr_file_perms execute };
is sufficient. Since I think the same code in puppet is what caused previous useradd denials in puppetmaster, the
usermanage_domtrans_useradd(puppetmaster_t)
in the current selinux-policy can probably be restricted more as well.
I actually added the usermanage_check_exec_passwd(puppetmaster_t) in my "puppetca" patch: https://bugzilla.redhat.com/show_bug.cgi?id=703813 dwalsh merged it but changed it to use audit-access which i am not sure will do the trick (i am actually pretty sure it doesnt do the trick) # ausyscall 21 access Ricky, # rpm -q selinux-policy If audit_access works we will still need to add getattr i suspect. We may also be able to replace the other usermanage_domtrans.* interface calls in puppet.te Yes. (In reply to comment #10) > # ausyscall 21 > access > > Ricky, > > # rpm -q selinux-policy selinux-policy-3.9.16-24.fc15.noarch Edited the "access_check" interfaces to include get attributes, and changed all usermanage calls by puppetmaster to access check. http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=884c081a90563159afc3d6b88ca35a25313e69c4 I am fine with this in Rawhide. But will wait with all changes in F15. I am just adding fixes for passwd_exec_t. Fixed in selinux-policy-3.9.16-27.fc15 |
Description of problem: puppetmaster needs to run chage, which results in the following denial: type=AVC msg=audit(1306723316.360:211): avc: denied { getattr } for pid=22769 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-1 ino=1444742 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file I was able to fix this with a custom local policy granting usermanage_domtrans_passwd(puppetmaster_t).