Bug 1110814 - Puppet modules fail to deploy on a node due to selinux
Puppet modules fail to deploy on a node due to selinux
Status: CLOSED CURRENTRELEASE
Product: Pulp
Classification: Community
Component: puppet-support (Show other bugs)
2.4.0
Unspecified Unspecified
medium Severity high
: ---
: 2.4.0
Assigned To: Lukas Zapletal
Preethi Thomas
: Reopened, Triaged
Depends On: 1020912
Blocks: 950743
  Show dependency treegraph
 
Reported: 2014-06-18 09:54 EDT by Bryan Kearney
Modified: 2014-08-19 23:31 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1020912
Environment:
Last Closed: 2014-08-09 02:56:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Michael Hrivnak 2014-06-18 10:28:06 EDT
The fix to this does not belong in pulp. Sat6, given its specific use case and configuration of pulp, should add this to its selinux policy.

For pulp to solve this, we would have to:

1) require the puppet-server package, so that /etc/puppet/environments/ exists. We do not currently require this package.
2) modify the filesystem permissions of /etc/puppet/environments/
3) change the selinux policy on /etc/puppet/environments/

Changing the filesystem permissions and selinux policy on a directory owned by another package is not something pulp's package should do by default anyway.

More importantly, we would be allowing the apache user to have full write access to the /etc/puppet/environments/ folder, which is not a sane default. The security implications are huge. Allowing a user to opt-in to this *if* they want to use our puppet install distributor is reasonable. Introducing this major degradation of security by default for all users of pulp is not reasonable.

From our documentation at http://pulp-puppet-dev-guide.readthedocs.org/en/latest/plugin_conf.html#install-distributor:

"It is the user’s responsibility to ensure that Pulp can write to this directory."

Thoughts?
Comment 3 Lukas Zapletal 2014-06-18 13:58:49 EDT
Michael,

there is no requirement you need those directories to be created, or puppet-server to be present on the system at all. Puppet policy is in the core selinux policy in both RHEL6+ and Fedoras, therefore you can build on this safely without any dependency introduced. It's actually other way around - katello-selinux has no pulp-selinux dependency on the packaging level and we would need to introduce one (if we want to create rules for pulp selinux types).

By default, all files in /etc/pulp are labeled as puppet_etc_t, therefore what we expect is you folks to create a rule that allows writing/reading on this file context. For the security implications you described and because you run under Apache2 httpd domain (which must be very well hardened for sure), the best would be to create optional selinux boolean something like pulp_write_puppet or httpd_write_puppet_etc that would be turned off by default for pulp, but Satellite 6 would enable this flag. This is standard SELinux practice which is used everywhere, including http daemon (e.g. man httpd_selinux for examples).

Please reevaluate this once again, thanks.
Comment 4 Michael Hrivnak 2014-06-18 17:45:20 EDT
That's an interesting suggestion, and I can see value in having such a boolean provided by pulp. However, it doesn't solve the need to change filesystem permissions on /etc/puppet/environments.

I'll query the team. If we need this fast, I'm not sure we have anyone available on the pulp team with the selinux familiarity to do this quickly.
Comment 5 Lukas Zapletal 2014-06-19 06:15:51 EDT
Michael,

I was not aware that there are permissions involved. I thought it's only SELinux preventing from writing there.

We will need to make sure pulp/httpd can write to that directory. And this is our task for sure, we actually create the environments directory ourselves (puppet defaults just to /etc/puppet).

But for SELinux, this is all about types and domains, paths do not matter. Thanks for taking this in the team.
Comment 6 Randy Barlow 2014-06-24 13:48:17 EDT
https://github.com/pulp/pulp/pull/1020
Comment 7 Randy Barlow 2014-06-25 19:24:16 EDT
Fixed in 2.4.0-0.23.beta.
Comment 8 Preethi Thomas 2014-07-09 14:33:44 EDT
[root@cloud-qe-19 ~]# getenforce
Enforcing
[root@cloud-qe-19 ~]# 


[root@qe-blade-14 ~]# pulp-admin node sync run --node-id node1
This command may be exited via ctrl+c without affecting the request.




(1/2) Repository: puppet-repo
[==================================================] 100%


(2/2) Repository: zoo
[==================================================] 100%




Synchronization succeeded

+----------------------------------------------------------------------+
                       Child Node Synchronization
+----------------------------------------------------------------------+

Repository: 
  Action:          Merged
  Content Sources: 
    Downloads:     
      Source Id:       Parent Node
      Total Failed:    0
      Total Succeeded: 43
    Total Passes:  1
    Total Sources: 0
  Id:              puppet-repo
  Units:           
    Added:   43
    Removed: 0
    Updated: 0

Repository: 
  Action:          Merged
  Content Sources: 
    Downloads:     
      Source Id:       Parent Node
      Total Failed:    0
      Total Succeeded: 32
    Total Passes:  1
    Total Sources: 0
  Id:              zoo
  Units:           
    Added:   39
    Removed: 0
    Updated: 0



[root@qe-blade-14 ~]#
Comment 9 Randy Barlow 2014-08-09 02:56:27 EDT
This has been fixed in Pulp 2.4.0-1.

Note You need to log in before you can comment on or make changes to this bug.