Bug 958028

Summary: salt SELinux issues (daemons run as initrc_t)
Product: Red Hat Enterprise Linux 6 Reporter: Florian La Roche <florian.laroche>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, herlo1, mgrepl, mmalik, racooper, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-25 10:53:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 832330    
Attachments:
Description Flags
salt-master policy package none

Description Florian La Roche 2013-04-30 08:01:16 UTC 
Description of problem:
If you install salt-master from EPEL and start it from bootup, the
following errors happen on a current RHEL6.4:

Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:664): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:665): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:666): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:667): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:668): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:669): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:670): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:671): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:672): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Apr 28 12:35:19 batch1 kernel: type=1400 audit(1367145319.361:673): avc:  denied  { read write } for  pid=27496 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file



Just pasting it through audit2allow gives this policy and salt-master
does not come up with any additional errors:

        module mysalt 1.0;

        require {
                type ifconfig_t;
                type anon_inodefs_t;
                class file { read write };
        }

        #============= ifconfig_t ==============
        allow ifconfig_t anon_inodefs_t:file { read write };


# ps xuwwaZ | grep salt
system_u:system_r:initrc_t:s0   root      1888  0.0  0.9 656504 16364 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1889  0.0  1.8 390396 31260 ?        S    Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1896  0.0  0.9 394360 15672 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1899  0.0  0.9 394360 15908 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1902  0.0  2.0 960752 33828 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1904  0.0  2.0 960748 33840 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1907  0.0  2.0 960724 33852 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1913  0.0  1.9 827112 33412 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1916  0.0  2.0 828668 33824 ?        Sl   Apr29   0:00 /usr/bin/python /usr/bin/salt-master -d
system_u:system_r:initrc_t:s0   root      1987  0.0  1.9 628940 32208 ?        Sl   Apr29   0:01 /usr/bin/python /usr/bin/salt-minion -d


best regards,

Florian La Roche



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Milos Malik 2013-05-02 05:44:44 UTC 
There are 2 problems:
 * leaked file descriptors (type=1400 messages)
 * salt-master does not have a SELinux domain (the output of ps)
Comment 3 Simon Sekidde 2013-05-08 13:07:53 UTC 
Created attachment 745240 [details]
salt-master policy package

Please remove the mysalt module and load the attached policy package into the kernel by running 

 semodule -r mysalt && semodule -B && semodule -i saltmaster.pp 

And provided any updated AVC's
Comment 5 Daniel Walsh 2013-06-20 17:26:24 UTC 
Did anyone ever try this out?  Do we ship salt in Fedora?
Comment 6 Milos Malik 2013-06-20 18:32:34 UTC 
salt* packages are available in EPEL repos for RHEL-5 and RHEL-6.
Comment 7 Robert Cooper 2013-07-01 17:36:55 UTC 
Testing with the saltmaster.pp attached to this ticket I still receive the following errors when starting salt_master:


type=AVC msg=audit(1372699281.483:68818): avc:  denied  { read write } for  pid=11102 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1372699281.483:68818): avc:  denied  { read write } for  pid=11102 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
Comment 8 Daniel Walsh 2013-07-02 10:55:49 UTC 
This probably means salt is leaking  file desctriptor to anon_inodefs when it executes the ip command.

If we ship salt, we should open a bugzilla on this.
Comment 9 Miroslav Grepl 2013-08-06 07:19:55 UTC 
Moving it to RHEL6.6. This is EPEL.
Comment 12 Simon Sekidde 2015-01-23 12:28:26 UTC 
https://github.com/ssekidde/salt-master
Comment 13 Miroslav Grepl 2015-02-25 10:53:24 UTC 
I believe we can go with initrc_t in RHEL6 for salt and see to get fixes in RHEL7.