Bug 1107673 - Puppet or puppetmaster sometimes changes file contexts
Summary: Puppet or puppetmaster sometimes changes file contexts
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Tazim Kolhar
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1107680 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-10 12:39 UTC by Bryan Kearney
Modified: 2019-09-26 18:13 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-11 12:23:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 5910 0 None None None 2016-04-22 15:35:20 UTC

Description Bryan Kearney 2014-06-10 12:39:46 UTC
which is prevented by SELinux. This has something to do with selinux users and RHEL6. Discussion is here:

<pre>
14:56    lzap | dwalsh: https://gist.github.com/lzap/b2c29cd20da2a0d95459
14:57    lzap | dwalsh: mirek told me the other day I see relabelto because the process is touching xattrs most likely. whatever, I'd like to allow that, but
              | my rules do not apply for some reason
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14:58  dwalsh | lzap, You are relabeling a file to system_u:...  You are running as unconfined_u.  THere is a constraint that says you are not allowed to do
              | this unless you have a certain attribute.
14:58  dwalsh | scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0
14:58  dwalsh | Is passenger_t doing a setfilecon?
15:00  dwalsh | lzap, It looks like you ran passenger from an unconfined_u user,
15:00    lzap | oh
15:00    lzap | like started it from shell right?
15:01  dwalsh | lzap, I would not have a problem doing it.  We really do not enforce on user part of the label.
15:01  dwalsh | Did you do a runcon to get the service to start?
15:01    lzap | it was puppet who started that
15:01    lzap | puppet agent
15:01    lzap | but puppet stareted from openstack installer
15:01    lzap | and that was obviously started as root
15:02    lzap | but I'd expect when I'd do service start it would start normally
15:02    lzap | puppet is doing: service httpd start
15:02  dwalsh | is this RHEL6?
15:02    lzap | yes
15:02    lzap | 6.54
15:02    lzap | 6.5
15:03  dwalsh | Well puppet must have been running as unconfined_u which means someone restarted it.
15:03  dwalsh | In RHEL7 this would not be a problem because services would be started via systemd, which would be running as system_u.
15:04  dwalsh | domain_subj_id_change_exemption(passenger_t) would fix the problem. 
15:04  dwalsh | Most of the time passenger_t would run as system_u, since it would be started at boot time.  But if a user did a service restart, then I guess
              | this could happen.
15:05    lzap | so you are telling me that all services which are running under RHEL6 and are confined can go wrong as soon as root restarts them from a shell?
15:06  dwalsh | No only services that attempt to do built in SELinux calls.
15:06  dwalsh | Puppet must be doing a setfiles() call to change the label.
15:07    lzap | ok I will investigate this, but I'd not expect this there
15:07    lzap | it's a ruby app without any selinux support
15:07    lzap | I mean the upstream code
15:07    lzap | and I am not aware of any special handling in our startup scripts or something
15:08  dwalsh | We added selinux support to ruby a few years ago to be used with puppet.
15:08  dwalsh | Search the code for matchpathcon, and setfilecon.

</pre>

Comment 1 Bryan Kearney 2014-06-10 12:39:48 UTC
Created from redmine issue http://projects.theforeman.org/issues/5910

Comment 2 Bryan Kearney 2014-06-10 12:39:53 UTC
Upstream bug assigned to lzap

Comment 3 Bryan Kearney 2014-06-10 12:44:19 UTC
*** Bug 1107680 has been marked as a duplicate of this bug. ***

Comment 4 Bryan Kearney 2014-06-10 13:03:44 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/5910 has been closed

Comment 7 Tazim Kolhar 2014-08-27 12:21:46 UTC
please provide verification steps

Comment 8 Lukas Zapletal 2014-08-27 14:03:07 UTC
This patch was commited:

+domain_obj_id_change_exemption(passenger_t)

To verify, install Satellite 6 and verify there are no AVC denials. Please ignore this harmless one:

time->Wed Aug 27 09:15:56 2014
type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

Note the "load_policy" domain. We have a separate BZ for this.

Comment 9 Tazim Kolhar 2014-08-28 06:20:02 UTC
VERIFIED

able to install satellite 6 with no AVC denials

Comment 10 Bryan Kearney 2014-09-11 12:23:12 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.