[Rubygem-Staypuft]: SELinux avc: denied when running staypuft-installer - comm="ruby" path="/sbin/iptables-multi-1.4.7. Environment (puddle : OpenStack/Foreman/2014-05-06.6/) ------------------------------------------------------- ruby193-rubygem-staypuft-0.0.12-1.el6ost.noarch foreman-installer-staypuft-0.0.10-1.el6ost.noarch openstack-puppet-modules-2013.2-9.1.el6ost.noarch puppet-server-3.3.2-2.el6.noarch puppet-3.3.2-2.el6.noarch foreman-1.5.0.22-1.el6sat.noarch [foreman ~]# rpm -qa | grep iptables iptables-ipv6-1.4.7-11.el6.x86_64 iptables-1.4.7-11.el6.x86_64 [foreman ~]# rpm -qa | grep selinux libselinux-utils-2.0.94-5.3.el6_4.1.x86_64 libselinux-2.0.94-5.3.el6_4.1.x86_64 libselinux-python-2.0.94-5.3.el6_4.1.x86_64 foreman-selinux-1.5.0-0.develop.el6sat.noarch libselinux-ruby-2.0.94-5.3.el6_4.1.x86_64 selinux-policy-3.7.19-231.el6_5.1.noarch selinux-policy-targeted-3.7.19-231.el6_5.1.noarch Steps: ------- 1) Verify SELinux enables (setenforce 1) 2) Attempt to install staypuft running "staypuft-installer" 3) Check /var/log/messages. Results: --------- /var/log/messages : ------------------------------------------------------------ May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'socket' is deprecated. Use '@socket' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:5 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:5:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'pidfile' is deprecated. Use '@pidfile' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:9 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:9:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'socket' is deprecated. Use '@socket' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:10 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:10:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'port' is deprecated. Use '@port' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:11 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:11:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'basedir' is deprecated. Use '@basedir' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:12 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:12:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'datadir' is deprecated. Use '@datadir' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:13 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:13:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'bind_address' is deprecated. Use '@bind_address' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf. erb]:17 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:17:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'bind_address' is deprecated. Use '@bind_address' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf. erb]:18 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:18:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'log_error' is deprecated. Use '@log_error' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:2 8 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:28:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'default_engine' is deprecated. Use '@default_engine' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my. cnf.erb]:31 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:31:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'default_engine' is deprecated. Use '@default_engine' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my. cnf.erb]:32 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:32:in `result') May 15 11:35:00 oh-havana-foreman puppet-master[32245]: Variable access via 'ssl' is deprecated. Use '@ssl' instead. template[/etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb]:34 May 15 11:35:00 oh-havana-foreman puppet-master[32245]: (at /etc/puppet/environments/production/modules/mysql/templates/my.cnf.erb:34:in `result') May 15 11:35:02 oh-havana-foreman puppet-master[32245]: (Scope(Class[Keystone])) token_format parameter is deprecated. Use token_provider instead. May 15 11:35:04 oh-havana-foreman puppet-master[32245]: (Scope(Class[Nova])) sql_connection deprecated for database_connection May 15 11:35:07 oh-havana-foreman puppet-master[32245]: Variable access via 'pipeline' is deprecated. Use '@pipeline' instead. template[inline]:2 May 15 11:35:07 oh-havana-foreman puppet-master[32245]: (at (erb):2:in `result') May 15 11:35:08 oh-havana-foreman puppet-master[32245]: (Scope(Class[Swift::Proxy::Proxy-logging])) swift::proxy::proxy-logging is deprecated. Use swift::proxy::proxy_logging instead. May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.818:390): avc: denied { getattr } for pid=32245 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system _r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.818:391): avc: denied { execute } for pid=32245 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas senger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:392): avc: denied { read open } for pid=950 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas senger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:393): avc: denied { execute_no_trans } for pid=950 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file May 15 11:35:14 oh-havana-foreman puppet-master[32245]: Variable access via 'tcp_port' is deprecated. Use '@tcp_port' instead. template[/etc/puppet/environments/production/modules/memcached/templates/memcached_sysconfig.erb]:1
Created attachment 895963 [details] messages
Those logs are cut off, can we get whole lines? May 15 11:35:08 oh-havana-foreman kernel: type=1400 audit(1400142908.825:392): avc: denied { read open } for pid=950 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=2490531 scontext=system_u:system_r:pas its passenger_something...
Please add this as well: ps -xauwwwZ
Tested staypuft-install with the latest foreman-selinux build from here: http://koji.katello.org/koji/buildinfo?buildID=9803 I am getting the following AVC denied: # tail -f /var/log/audit/audit.log | grep AVC type=AVC msg=audit(1400258033.035:164): avc: denied { relabelto } for pid=8510 comm="ruby" name="yaml" dev=dm-0 ino=537367 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=AVC msg=audit(1400258033.076:165): avc: denied { relabelto } for pid=8510 comm="ruby" name="masterhttp.log" dev=dm-0 ino=536269 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file type=AVC msg=audit(1400258033.337:166): avc: denied { relabelto } for pid=8510 comm="ruby" name="ca_crt.pem" dev=dm-0 ino=536250 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file type=AVC msg=audit(1400258050.395:167): avc: denied { write } for pid=8914 comm="ruby" name="dynflow_socket" dev=dm-0 ino=282452 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1400258050.395:167): avc: denied { connectto } for pid=8914 comm="ruby" path="/var/run/foreman/sockets/dynflow_socket" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket
Created attachment 896468 [details] audit.log from staypuft-installer
Created attachment 896469 [details] Output of ps -xauwwwZ associated with mtaylor_staypuft-installer_audit.log
I am not sure about the relabel stuff, but I will fix the dynflow_socket issue in the next foreman-selinux build.
I am working on brand new policy for foreman-tasks plugin which was missing. Unfortunately this plugin is the most complicated one in regard to selinux - it has two new processes, socket and also new directory. Filed upstream bug: http://projects.theforeman.org/issues/5870 I will need to update both foreman-selinux packages and foreman-tasks package.
Created attachment 898390 [details] mburns-audit-log set permissive run staypuft-installer configure deployment start deployment <end>
Okay I have to admit I tool wrong approach, to fix this issue it is NOT necessary to write policy for foreman-tasks. Although I prepared already this policy and I will finish this effort: https://github.com/theforeman/foreman-tasks/pull/54 http://koji.katello.org/koji/taskinfo?taskID=111800 I created new issue: http://projects.theforeman.org/issues/5882 and temporary fix: https://github.com/theforeman/foreman-selinux/pull/17
Okay I am putting this back to POST because I am not finished with the fix yet, it is going under upstream review right now. Please disregard comment 13, I was able to write brand new foreman-tasks policy and also fix the relabelto three denials. Upstream changes that contain necessary work to get rid of these denials: https://github.com/theforeman/foreman-tasks/pull/54 https://github.com/theforeman/foreman-selinux/pull/18 (not yet merged) Upstream builds: http://koji.katello.org/koji/taskinfo?taskID=111800 http://koji.katello.org/koji/taskinfo?taskID=112021
*** Bug 1092980 has been marked as a duplicate of this bug. ***
Using RHEL 6.5 + latest foreman puddle (20140522.2) and the packages mention above, I'm still getting passenger avc denials. Moving back to assigned
Last note: The upstream fix does fix the socket denial, does not fix the three puppet ones. I filed another issue for it, it's a different one we need to solve: http://projects.theforeman.org/issues/5910 This will require some changes in a way how we call puppet/puppet master, I need to discuss this upstream and find a proper way to fix this.
Created attachment 899508 [details] audit.log with latest upstream build: http://koji.katello.org/koji/taskinfo?taskID=113026 run through full installation successful when configuring a deployment using staypuft, a single AVC showed up, but I am unable to reproduce it within the same installation # audit2why -wa type=AVC msg=audit(1401197569.085:2565): avc: denied { name_bind } for pid=9349 comm="ruby" src=17659 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket Was caused by: The boolean allow_ypbind was set incorrectly. Description: Allow system to run with NIS Allow access by executing: # setsebool -P allow_ypbind 1
Created attachment 899509 [details] ps auxwwwZ
FIY for the last denial I've opened another upstream issue report: http://projects.theforeman.org/issues/5981
The fix was merged upstream: https://github.com/theforeman/foreman-selinux/pull/18 This build does contain the necessary changes: http://koji.katello.org/koji/buildinfo?buildID=10897
Verified with : --------------- ruby193-rubygem-staypuft-0.3.4-2.el6ost.noarch rhel-osp-installer-0.3.4-3.el6ost.noarch foreman-selinux-1.6.0.14-1.el6sat.noarch selinux-policy-3.7.19-231.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1350.html