Bug 718390
| Summary: | Shipped SELinux policy prevents Puppet 2.6/2.7 from working | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Yury V. Zaytsev <yury> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 6.1 | CC: | bloch, dcleal, dwalsh, erinn.looneytriggs, ikke, jonathan.underwood, jrieden, mmalik, orion, syeghiay, tmz | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.7.19-118.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-12-06 10:08:56 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 666094 | ||||||||
| Attachments: |
|
||||||||
Created attachment 510984 [details]
Addon policy to allow puppetmaster to start
I need to backport changes from Fedora. Fixed in selinux-policy-3.7.19-104.el6 Miroslav, Thanks for the backported policy update. Do you know about how long this will take to get pushed into the rhel6 update channel? I push them out to people.redhat.com/dwalsh/SELinux/RHEL6 Dan, could you please upload selinux-policy-3.7.19-106.el6 binary/src to your repo? I'm seeing more denials and I'd like to test if those have been also fixed pro-actively by backporting changes from Fedora or I need to report them as well. Thanks! P.S. I do have access to FastTrack, but the packages are not there yet.
P.P.S. It's the node/port bind thing that I am talking about:
module puppetmaster 1.0;
require {
type puppetmaster_t;
type node_t;
type port_t;
class udp_socket { name_bind node_bind };
}
#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;
Please attach raw AVC msgs. I will do a new RHEL6 selinux-policy build tomorrow. Summary: SELinux is preventing /usr/bin/ruby "name_bind" access . Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ udp_socket ] Source puppetmasterd Source Path /usr/bin/ruby Port 62427 Host XXX Source RPM Packages ruby-1.8.7.299-7.el6_1.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 13 First Seen Mon Aug 1 15:40:45 2011 Last Seen Mon Aug 1 16:13:08 2011 Local ID 2dd7655d-b452-4eb8-a9b8-cbf7d7c8f444 Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312207988.988:14129): avc: denied { name_bind } for pid=17866 comm="puppetmasterd" src=62427 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket node=XXX type=SYSCALL msg=audit(1312207988.988:14129): arch=c000003e syscall=49 success=no exit=-13 a0=17 a1=4b21500 a2=10 a3=40 items=0 ppid=1 pid=17866 auid=0 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1082 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) ------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/bin/ruby "node_bind" access . Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:node_t:s0 Target Objects None [ udp_socket ] Source puppetmasterd Source Path /usr/bin/ruby Port 50157 Host XXX Source RPM Packages ruby-1.8.7.299-7.el6_1.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 9 First Seen Mon Aug 1 15:40:45 2011 Last Seen Mon Aug 1 16:11:08 2011 Local ID ac17f647-8613-4dc9-8331-6dd33a3413ff Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312207868.949:14122): avc: denied { node_bind } for pid=17866 comm="puppetmasterd" src=50157 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket node=XXX type=SYSCALL msg=audit(1312207868.949:14122): arch=c000003e syscall=49 success=no exit=-13 a0=16 a1=49e00d0 a2=10 a3=40 items=0 ppid=1 pid=17866 auid=0 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1082 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) Yet another one that I had to add to my private policy: Summary: SELinux is preventing /usr/bin/ruby "relabelfrom" access on auth.conf. Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:puppetmaster_t:s0 Target Context unconfined_u:object_r:puppet_etc_t:s0 Target Objects auth.conf [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host XXX Source RPM Packages ruby-1.8.7.299-7.el6_1.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 8 First Seen Sun Jul 3 03:31:02 2011 Last Seen Wed Aug 3 10:15:39 2011 Local ID d4686f8d-9853-4e54-9341-f66f631abb85 Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312359339.27:12): avc: denied { relabelfrom } for pid=1967 comm="puppetmasterd" name="auth.conf" dev=dm-0 ino=393383 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=file node=XXX type=SYSCALL msg=audit(1312359339.27:12): arch=c000003e syscall=189 success=no exit=-13 a0=2f7f7e0 a1=7f9758749259 a2=2f88a60 a3=22 items=0 ppid=1966 pid=1967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) Yet another one: Summary: SELinux is preventing /usr/bin/ruby "relabelto" access on auth.conf. Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:puppet_etc_t:s0 Target Objects auth.conf [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host XXX Source RPM Packages ruby-1.8.7.299-7.el6_1.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-93.el6_1.2 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name XXX Platform Linux XXX 2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20 14:15:38 EDT 2011 x86_64 x86_64 Alert Count 2 First Seen Thu Aug 4 10:01:47 2011 Last Seen Thu Aug 4 10:01:47 2011 Local ID 9797cad5-8d83-4e22-887f-073795609148 Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1312444907.124:12): avc: denied { relabelto } for pid=1965 comm="puppetmasterd" name="auth.conf" dev=dm-0 ino=393382 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file node=XXX type=SYSCALL msg=audit(1312444907.124:12): arch=c000003e syscall=189 success=no exit=-13 a0=2e4c370 a1=7f0113f2e259 a2=2e555f0 a3=22 items=0 ppid=1964 pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) Created attachment 516652 [details]
New version of my custom policy
This shoud be fixed in the latest RHEL6 policy. Dan, could you upload it. selinux-policy-3.7.19-106.el6 I still get:
type=AVC msg=audit(1312838690.796:71801): avc: denied { search } for pid=4896 comm="puppetmasterd" name="nslcd" dev=dm-4 ino=655384 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=dir
with:
puppet-server-2.6.6-1.el6.noarch
selinux-policy-3.7.19-106.el6.noarch
Although it seems to start up fine.
Hi Orion! Would you mind testing my puppet-2.7.1-1 packages to see if there are any more denials that we will be pushing into RepoForge as soon as this issue is resolved? http://rpm.zaytsev.net/test/puppet/ I'm now running customized packages with an addon SELinux policy of my own in production, so I can't really test it with stock policy and rather migrate to 2.7.3 directly when it comes out. Thanks! Yury, I think I'm just going to stick with puppet from EPEL for now. Thanks. tmz will push it into EPEL as soon at (1) this issue is closed (2) 2.7.3 comes out, so you can regard it as a beta-version, but I do not insist :-) Just appreciate help in making sure that this won't have to be re-opened again for 2.7.1 and 2.7.3. I don't have plans to push 2.7.x to EPEL anytime soon. AFAIK, it contains incompatible changes from 2.6.x. And we don't even have 2.6.x in stable yet. I'm not thrilled about the prospect of pushing an(other) update that might cause folks more work. Historically, major updates have taken a while to work out the kinks. We didn't even start testing 2.6.x in epel-testing until 2.6.6. (Sadly, 2.6.x is not going to be maintained much longer upstream, so we may have to move to 2.7.x at some point.) Oh, I'm sorry for the delusion, then I misinterpreted your statement on the IRC regarding the SELinux issues with 2.7.x; I was thinking that this is the only thing that prevents you from putting 2.7.1 to test. Re: 2.6.x, not that I am happy about it, but it's already almost dropped AFAIK, just one core thing that is broken that I ran into were anonymous arrays and this is not going to be fixed. Ruby-style, be always at the bleeding edge... So in terms of time investment, 2.7.x after 2.7.3 comes out might be a better idea, at least you have 2.7.x life span ahead of you and can hope for some client / server compatibility... :-) Fixed in selinux-policy-3.7.19-107.el6 In order to get puppetmaster to work with SElinux enabled I had to use the following local module. This contains things not currently allowed by the shipped policy sopecifically relating to having cobbler automatically call puppetca to sign certificate requests as machines are installed.
module puppetlocal 1.0;
require {
type puppetmaster_t;
type puppet_var_lib_t;
type cobblerd_t;
type httpd_sys_content_t;
type node_t;
type sysfs_t;
type port_t;
type cert_t;
class dir { remove_name search };
class udp_socket { name_bind node_bind };
class file { create setattr };
}
#============= cobblerd_t ==============
#!!!! This avc is allowed in the current policy
allow cobblerd_t cert_t:dir search;
#!!!! This avc is allowed in the current policy
allow cobblerd_t httpd_sys_content_t:dir remove_name;
#!!!! This avc is allowed in the current policy
allow cobblerd_t httpd_sys_content_t:file { create setattr };
#!!!! This avc is allowed in the current policy
allow cobblerd_t puppet_var_lib_t:dir search;
#!!!! This avc is allowed in the current policy
allow cobblerd_t sysfs_t:dir search;
#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;
*** Bug 732486 has been marked as a duplicate of this bug. *** These issues should be resolved in selinux-policy-3.7.19-107.el6, whenever that is shipped. You can test it now using Dan Walsh's repository at: http://people.redhat.com/dwalsh/SELinux/RHEL6/ Is there any idea when these packages will make it to RHEL updates? I'm considering pushing puppet packages to epel-stable and just noting that users running SELinux in enforcing mode -- which are likely a minority among puppet users, based on how long the packages were in testing before anyone noticed the issues -- grab updated packages from Dan's repo or set SELinux to permissive. Obviously, I'd prefer not to do that, but it's not worth waiting another month over. Thanks to anyone that can provide some details on the update plan for selinux-policy. Yup, 2.7.3 is out of the door already, 2.7.4 is cooking, but even 2.6.x is not working properly ATM, which is a bummer... selinux-policy-3.7.19-110.el6 is out on http://people.redhat.com/dwalsh/SELinux/RHEL6/ This will be in the 6.2 update scheduled for Later this year. My automated test succeeded on machine where following packages (available at http://rpm.zaytsev.net/test/puppet/) were installed: puppet-2.7.4-1.el6.zyv.noarch puppet-server-2.7.4-1.el6.zyv.noarch and also succeeded on machine where following packages (currently available in EPEL) were installed: puppet-2.6.6-1.el6.noarch puppet-server-2.6.6-1.el6.noarch Following policy packages were installed on those machines: selinux-policy-minimum-3.7.19-114.el6.noarch selinux-policy-targeted-3.7.19-114.el6.noarch selinux-policy-mls-3.7.19-114.el6.noarch selinux-policy-3.7.19-114.el6.noarch selinux-policy-doc-3.7.19-114.el6.noarch Fixed in selinux-policy-targeted-3.7.19-118.el6.noarch
sesearch -A -s puppetmaster_t -t puppet_etc_t -c file -p relabelto
Found 1 semantic av rules:
allow puppetmaster_t configfile : file { ioctl read getattr lock relabelfrom relabelto open } ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: Upon startup, the latest puppetmaster now tries to getattr & execute /usr/bin/chage which has not been previously described in the policy, so it generates SELinux denials and fails to start with an obscure error message. Also, it wants to search sysfs and only when it is allowed to do so, it starts happily. Puppet & Puppet master are a crucial pieces of software to be run on RHEL, so this definitively needs fixing. Additionally, the current RHEL6 policy doesn't cover puppetca, but I am not sure if this is worth it to be backported from Fedora or only minimal changes should be made to allow the new versions of Puppet suite to run. How reproducible: Steps to Reproduce: 1. Install Puppet 2.7.1 (packaging available from RepoForge) 2. Attempt to start Puppet master Actual results: [root@puppet ~]# service puppetmaster start Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist [FAILED] Expected results: [root@puppet ~]# service puppetmaster start Starting puppetmaster: [ OK ] Additional info: I posted the denials to #711804, where it was suggested that I open a separate bug for RHEL6. I came up with the attached policy and now, at least, puppetmaster of puppet 2.7.1 starts. Could you please advise me on what would be the expected TAT on this bug? I'd like to know if this can be fixed as a regular update, or I'd better ship an addon SELinux policy with my puppet 2.7.1 packages (RepoForge). If this can be fixed quickly I'd rather not do it, because then I would need to Obsolete: my policy.