Bug 727145
Summary: | /var/cfengine/output shouldn't be labelled as var_log_t | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Hill <dhill> | ||||||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Michal Trunecka <mtruneck> | ||||||||||
Severity: | urgent | Docs Contact: | |||||||||||
Priority: | medium | ||||||||||||
Version: | 6.1 | CC: | dhill, dwalsh, ebenes, ksrot, mmalik, mtruneck | ||||||||||
Target Milestone: | rc | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | selinux-policy-3.7.19-146.el6 | Doc Type: | Bug Fix | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2012-06-20 12:24:37 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
David Hill
2011-08-01 12:29:12 UTC
PS: with previous versions of rhel 5.X we were able to bypass that by adding our own context which overrided the default selinux-policy context ... but with rhel 6.X, our custom module is failling to load. Could you attach AVC msgs which you are getting? Created attachment 516133 [details]
Short sample of AVC audit logs...
Also, if I follow the instruction from the RHEL 6.1 Secure Linux documentation and relabel the cfengine binaries to unconfined_t, everything breaks further.
Se attachment #2 [details] .
Created attachment 516134 [details]
selinux unconfined bug.
I have managed to relabel /var/cfengine/outputs with semanage, but I cannot override the context of /var/cfengine/outputs with my custom module. (In reply to comment #5) > Also, if I follow the instruction from the RHEL 6.1 Secure Linux documentation > and relabel the cfengine binaries to unconfined_t, everything breaks further. > > Se attachment #2 [details] . Not sure which instruction you mean. "unconfined_t" is a domain type, you can not add this type for executable. Basically we will need to add a basic confinement for cfengine but also this domain will end up as unconfined. Could you attach some examples of your cfengine configuration? 4.2 point 6 Ok that is my fault... I didn't use unconfined_exec_t ... ;) Sorry for the mistake. It will work with the unconfined_exec_t but I will still have to try it. "To make the httpd process run unconfined, run the following command as the Linux root user to change the type of /usr/sbin/httpd, to a type that does not transition to a confined domain: chcon -t unconfined_exec_t /usr/sbin/httpd " http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf What do you mean my some examples of my cfengine configuration? You want to see how we restart a service with cfengine? Here is a sample: (redhat_s_6||centos_6).reload_nrpe:: "/sbin/service nrpe restart" useshell=false My selinux policy: policy_module(ubi_cfengine,0.0.11) gen_require(` attribute domain; ') ######################################## # # Declarations # type cfengine_output_t; files_type(cfengine_output_t) allow domain cfengine_output_t:dir rw_dir_perms; allow domain cfengine_output_t:file manage_file_perms; And my relabel of /var/cfengine/outputs/: (redhat_s_6||centos_6).(selinux_enforced||selinux_permissive).!has_semanage_cfengine_output_t:: "/usr/sbin/semanage fcontext -a -t cfengine_output_t '/var/cfengine/outputs(/.*)?' > /dev/null 2>&1" We need to boot the server in permissive at kickstart time, the first time cfengine runs, it will load the modules, put selinux in enforcing and reboot ... (the reboot is manual though). If you created a ubi_cgengine.fc file with the following /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:cfengine_output_t,s0) Then run the restorecon you should be able to eliminate the semanage command. Why are you changing the context of httpd to unconfined_exec_t? Nope, it compiles but it won't load ... [root@localhost devel]# semodule -i ubi_cfengine.pp /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/cfengine/outputs(/.*)? (system_u:object_r:cfengine_output_t:s0 and system_u:object_r:var_log_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! And no, I'm not trying to change the context of http to unconfined_exec_t ... I tried doing that to /usr/sbin/cf* (cfengine) ... I have another issue with that and bypassed it with MLS_CONTEXT=unconfined in the crontab because cfengine would run as crond_t and write output logs to crond_log_t ... which is not what we want... BTW, my cfengine module did have the file context included in rhel5.6/5.7 and it loaded even if it was already defined but it appears that this selinux policy in rhel 6.0/6.1 doesn't allow a redefinition. Ok so we defined a type for /var/cfengine/outputs and you want this to change. Which would require a selinux-policy change or you to use semanage. Using var_log_t context for /var/cfengine/outputs is bad IMHO. This is simply because if I want to restart nrpe with cfengine (for example) I will have to grand nrpe write permission to var_log_t ... I would rather define another context with semanage for /var/cfengine/outputs and allow any process to write to that context with a custom selinux policy. I've read a bit and some people are complaining about issues with selinux and cfengine. I think this is the best solution and should be incorporated in the selinux-policy package but that's up to you. I am not sure what is being output to this directory, since I do not use cfengine. Does cfengine create an output file in this directory and use this as stdout? That's exactly what it does! When cfengine starts nrpe, it redirects nrpe init script output to /var/cfengine/outputs/cf_hostname_domainname_date_time_timestamp ... It does the same with apache, mysql, mongodb, etc ... So anything started via cfengine needs to be able to write output to /var/cfengine/outputs/cf_hostname_domainname_date_time_timestamp or else fails to start properly. And this will happen even if nrpe doesn't output anything. If it can't open the file in write, it won't start the service. Can it set the output to be append rather then write? (In reply to comment #9) > 4.2 point 6 > > Ok that is my fault... I didn't use unconfined_exec_t ... ;) Sorry for the > mistake. It will work with the unconfined_exec_t but I will still have to try > it. > > > "To make the httpd process run unconfined, run the following command as the > Linux root user to > change the type of /usr/sbin/httpd, to a type that does not transition to a > confined domain: > chcon -t unconfined_exec_t /usr/sbin/httpd > " > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf > > What do you mean my some examples of my cfengine configuration? You want to > see how we restart a service with cfengine? > > Here is a sample: > (redhat_s_6||centos_6).reload_nrpe:: > "/sbin/service nrpe restart" useshell=false Ok, I will try to configure cfengine and test the cfengine policy which Dan added to Fedora and provide you for testing. @Daniel: Without touching the source code of cfengine I doubt it is possible since it's how cfengine handles the EXEC of a shell that is done like this. Created attachment 517534 [details]
cfengine initial policy
tar xvf /tmp/cfengine.tgz
cd /tmp
sh cfengine.sh
chcon -R -t cfengine_var_lib_t /var/cfengine
echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
service auditd restart
service cfengine restart
And start collecting AVC's
Hello Miroslav, These are the files used in our version of cfengine : []$ ls /usr/sbin/cf* -latr -rwxr-xr-x 1 root root 4176 Apr 16 2009 /usr/sbin/cfdoc -rwxr-xr-x 1 root root 641735 Apr 16 2009 /usr/sbin/cfshow -rwxr-xr-x 1 root root 668476 Apr 16 2009 /usr/sbin/cfservd -rwxr-xr-x 1 root root 618640 Apr 16 2009 /usr/sbin/cfrun -rwxr-xr-x 1 root root 602772 Apr 16 2009 /usr/sbin/cfkey -rwxr-xr-x 1 root root 615122 Apr 16 2009 /usr/sbin/cfexecd -rwxr-xr-x 1 root root 27884 Apr 16 2009 /usr/sbin/cfetoolgraph -rwxr-xr-x 1 root root 203673 Apr 16 2009 /usr/sbin/cfetool -rwxr-xr-x 1 root root 615955 Apr 16 2009 /usr/sbin/cfenvgraph -rwxr-xr-x 1 root root 640662 Apr 16 2009 /usr/sbin/cfenvd -rwxr-xr-x 1 root root 785766 Apr 16 2009 /usr/sbin/cfagent Created attachment 517620 [details]
Adding some file context.
I've attached a patch to this bug. I noticed that the line #/var/cfengine(/.*)? gen_context(system_u:object_r:cfengine_var_lib_t,s0) is commented in cfengine.fc ... the file context cfengine_var_lib_t is never generated. Yes, this is a reason why chcon is needed # chcon -R -t cfengine_var_lib_t /var/cfengine for testing. Labels will change to fengine_var_lib_t in this directory. I added a lot of fixes for cfengine. Also I changed labeling for /var/cfengine/outputs from var_log to cfengine_var_log_t and allowed apps, services to append these files. I am going to do a new build with fixes today. David, any chance you could test it then? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0780.html |