Bug 833660

Summary: SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configserver.log.
Product: [Fedora] Fedora Reporter: Armando <pr.armandosilva>
Component: aeolus-configserverAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dradez, dwalsh, gblomqui, jvlcek, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:c22fef81d4fc6964cb9b398ca28f2f62a757c133c869b7eabf8f6b0856a84aa6
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-27 05:14:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Armando 2012-06-20 04:50:55 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.2-4.fc17.i686
time:           Qua 20 Jun 2012 01:50:33 BRT

description:
:SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configserver.log.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o ruby deva ser permitido acesso de open em configserver.log file  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep thin /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:thin_t:s0
:Target Context                system_u:object_r:var_log_t:s0
:Target Objects                configserver.log [ file ]
:Source                        thin
:Source Path                   /usr/bin/ruby
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           ruby-1.9.3.194-11.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.2-4.fc17.i686 #1 SMP Thu Jun
:                              14 22:19:00 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    Qua 20 Jun 2012 01:42:34 BRT
:Last Seen                     Qua 20 Jun 2012 01:42:45 BRT
:Local ID                      c0272eb2-e8db-458f-b465-be2989f9d0d1
:
:Raw Audit Messages
:type=AVC msg=audit(1340167365.366:78): avc:  denied  { open } for  pid=997 comm="thin" name="configserver.log" dev="dm-1" ino=1314627 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1340167365.366:78): arch=i386 syscall=open success=no exit=EACCES a0=9dd21e0 a1=8441 a2=1b6 a3=0 items=0 ppid=1 pid=997 auid=4294967295 uid=180 gid=180 euid=180 suid=180 fsuid=180 egid=180 sgid=180 fsgid=180 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)
:
:Hash: thin,thin_t,var_log_t,file,open
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Daniel Walsh 2012-06-20 18:25:05 UTC
configserver.log looks like it is mislabeled.

Where is configserver.log located and which process owns it?  thin?

Comment 2 Miroslav Grepl 2012-06-22 07:52:07 UTC
This is caused by aeolus-configserver service. Basically it used "thin".

And this is a reason why we will need to change a way how to confine it. Basically we came up with a solution for tomcat or paster.

We have now thin_exec_t for /usr/bin/thin. This means if thin is used for a service, this service will run as thin_t. 

So we could do "thin_domain_template()" (as we have for tomcat now in F18) which will create thin_aeolus_configserver_t domain and thin_aeolus_configserver_exec_t label for executable.

And this thin_aeolus_configserver_exec_t needs to be added for a script which will do

/usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \
  -P $THIN_PID -a $THIN_IP -e $RACK_ENV \
  --user $AEOLUS_USER --group $AEOLUS_GROUP \
  -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT

Comment 3 Greg Blomquist 2012-06-25 20:41:29 UTC
After a quick chat with Miroslav and Dan on IRC, I believe this amounts to simply updating the aeolus-configserver.service file (https://github.com/aeolusproject/audrey/blob/master/configserver/conf/aeolus-configserver.service), replacing "ExecStart=/usr/bin/thin ..." with "ExecStart=/usr/bin/thinStarter"

Where "/usr/bin/thinStarter" is a script that calls exactly what's in ExecStart today:

/usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \
  -P $THIN_PID -a $THIN_IP -e $RACK_ENV \
  --user $AEOLUS_USER --group $AEOLUS_GROUP \
  -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT

Dan and Miroslav, if I got any of this wrong, please feel free to chime in with any corrections.  And, thanks for the help in IRC!

Comment 4 Miroslav Grepl 2012-06-26 11:07:36 UTC
Great. I am just adding fixes to rawhide and then I am going to backport it to F17 and build a new scratch build for testing.

Comment 5 Miroslav Grepl 2012-06-26 12:49:05 UTC
Greg,
could you test it with

http://koji.fedoraproject.org/koji/taskinfo?taskID=4196484

Comment 6 Greg Blomquist 2012-06-29 14:39:46 UTC
Miroslav,

absolutely!  Thanks for putting that together.  I'll try to get this tested today.

Comment 7 Greg Blomquist 2012-07-03 13:53:53 UTC
Miroslav,

I updated the config server to use a separate script to kick off thin.  This is the way it works now:

  - systemd (ExecStart) -> /usr/bin/aeolus-configserver-thinwrapper
  - aeolus-configserver-thinwrapper -> thin

Before upgrading with your selinux patch, I was able to see the reported error.

After upgrading with your patch, the config server works as expected (i.e., no errors visible to the user).  But, I see several sealerts in /var/log/messages.  I'm including two of the sealerts inline here.  I can add the rest as attachments.

*-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-*

WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
SELinux is preventing /usr/bin/ruby from create access on the directory aeolus-configserver.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ruby should be allowed create access on the aeolus-configserver directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep thin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:thin_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                aeolus-configserver [ dir ]
Source                        thin
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          dhcp-230-180.rdu.redhat.com
Source RPM Packages           ruby-1.9.3.194-13.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-133.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-230-180.rdu.redhat.com
Platform                      Linux dhcp-230-180.rdu.redhat.com
                              3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC
                              2012 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 02 Jul 2012 11:31:01 AM EDT
Last Seen                     Mon 02 Jul 2012 01:04:27 PM EDT
Local ID                      3aa91f6c-3bce-4705-bd90-a2d2235da108

Raw Audit Messages
type=AVC msg=audit(1341248667.636:49): avc:  denied  { create } for  pid=760 comm="thin" name="aeolus-configserver" scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1341248667.636:49): arch=x86_64 syscall=mkdir success=yes exit=0 a0=d8f8b0 a1=1ff a2=0 a3=0 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)

Hash: thin,thin_t,var_run_t,dir,create

audit2allow

#============= thin_t ==============
allow thin_t var_run_t:dir create;

audit2allow -R

#============= thin_t ==============
allow thin_t var_run_t:dir create;

*-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-*


*-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-*

WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
SELinux is preventing /usr/bin/ruby from getattr access on the directory /var/log/aeolus-configserver.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ruby should be allowed getattr access on the aeolus-configserver directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep thin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:thin_t:s0
Target Context                system_u:object_r:thin_aeolus_configserver_log_t:s
                              0
Target Objects                /var/log/aeolus-configserver [ dir ]
Source                        thin
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          dhcp-230-180.rdu.redhat.com
Source RPM Packages           ruby-1.9.3.194-13.fc17.x86_64
Target RPM Packages           aeolus-configserver-0.5.0-0.fc17.20120629211041git
                              f92ebde.noarch
Policy RPM                    selinux-policy-3.10.0-133.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-230-180.rdu.redhat.com
Platform                      Linux dhcp-230-180.rdu.redhat.com
                              3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 02 Jul 2012 01:04:27 PM EDT
Last Seen                     Mon 02 Jul 2012 01:04:27 PM EDT
Local ID                      1f0ced86-4c5e-4934-93af-0841d8269829

Raw Audit Messages
type=AVC msg=audit(1341248667.637:50): avc:  denied  { getattr } for  pid=760 comm="thin" path="/var/log/aeolus-configserver" dev="dm-1" ino=37415 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:thin_aeolus_configserver_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1341248667.637:50): arch=x86_64 syscall=stat success=yes exit=0 a0=f1d8a0 a1=7fff911b7800 a2=7fff911b7800 a3=321052f940 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)

Hash: thin,thin_t,thin_aeolus_configserver_log_t,dir,getattr

audit2allow

#============= thin_t ==============
allow thin_t thin_aeolus_configserver_log_t:dir getattr;

audit2allow -R

#============= thin_t ==============
allow thin_t thin_aeolus_configserver_log_t:dir getattr;

*-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-*


Altogether, I found 9 separate sealerts.  Two directories with several alerts, one network operation, and one signal access.

- /var/log/aeolus-configserver
  * create (inlined above)
  * dir getattr (inlined above)
  * search
  * file open

- /var/lib/aeolus-configserver/configs
  * dir getattr
  * file getattr
  * file read open

- SELinux is preventing /usr/bin/ruby from name_bind access on the tcp_socket .
  * port 4567
(the alert here instructs to do:
# semanage port -a -t PORT_TYPE -p tcp 4567
    where PORT_TYPE is one of the following: ntop_port_t.)

- SELinux is preventing /usr/bin/ruby from using the signal access on a process.


Like I said above though, the config server is operating.  There are no errors presented to the user.  There's nothing indicating that the application is unable to perform certain operations.  So, I'm a little baffled at the number of sealerts that showed up.

Hope this helps a little.

Comment 8 Miroslav Grepl 2012-07-03 14:34:14 UTC
Well the problem is the policy has labeling for 

/usr/bin/thinStarter    --  gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)

instead of  /usr/bin/aeolus-configserver-thinwrapper

So you need to execute

# chcon -t thin_aeolus_configserver_exec_t /usr/bin/aeolus-configserver-thinwrapper

and then re-test it. We don't want to have it in the thin_t domain.

Comment 9 Greg Blomquist 2012-07-03 14:38:46 UTC
D'oh!  Sorry, I renamed it to be something more context-specific.

Comment 10 Greg Blomquist 2012-07-05 16:32:49 UTC
After upgrade selinux-policy and changing the security context of aeolus-configserver-thinwrapper to thin_aeolus_configserver_exec_t I get the following in /var/log/messages:

Jul  5 11:56:21 dhcp231-56 aeolus-configserver-thinwrapper[1951]: /bin/bash: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied
Jul  5 11:56:21 dhcp231-56 systemd[1]: aeolus-configserver.service: main process exited, code=exited, status=127

Any clues?

Comment 11 Miroslav Grepl 2012-07-09 06:05:38 UTC
# setenforce 0
# ausearch -m avc -ts recent

Comment 12 Greg Blomquist 2012-07-09 14:25:48 UTC
# ausearch -m avc -ts this-month
----
time->Thu Jul  5 11:56:21 2012
type=SYSCALL msg=audit(1341503781.622:158): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=0 items=0 ppid=1 pid=1951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="aeolus-configse" exe="/usr/bin/bash" subj=system_u:system_r:thin_aeolus_configserver_t:s0 key=(null)
type=AVC msg=audit(1341503781.622:158): avc:  denied  { read } for  pid=1951 comm="aeolus-configse" path="/usr/bin/bash" dev="dm-1" ino=133227 scontext=system_u:system_r:thin_aeolus_configserver_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Comment 13 Miroslav Grepl 2012-07-10 07:04:04 UTC
Ok, could you test it with selinux-policy-3.10.0-138.fc17

Comment 14 Greg Blomquist 2012-07-10 14:01:07 UTC
Will do

Comment 15 Greg Blomquist 2012-09-13 16:15:38 UTC
Added thinwrapper script.
Updated systemd script to call thinwrapper instead of trying to start thin directly.

git hash: 6916146283f4b82e30f6e3fa2ac373382b4ee16d (master)

Comment 16 Fedora Update System 2012-09-18 16:03:33 UTC
aeolus-configserver-0.5.1-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/aeolus-configserver-0.5.1-1.fc18

Comment 17 Fedora Update System 2012-09-20 05:56:52 UTC
Package aeolus-configserver-0.5.1-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing aeolus-configserver-0.5.1-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14375/aeolus-configserver-0.5.1-1.fc18
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2012-09-27 05:14:04 UTC
aeolus-configserver-0.5.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.