1110814 – Puppet modules fail to deploy on a node due to selinux

Bug 1110814 - Puppet modules fail to deploy on a node due to selinux

Summary: Puppet modules fail to deploy on a node due to selinux

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	puppet-support
Sub Component:
Version:	2.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	2.4.0
Assignee:	Lukas Zapletal
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:	1020912
Blocks:	950743
TreeView+	depends on / blocked

Reported:	2014-06-18 13:54 UTC by Bryan Kearney
Modified:	2014-08-20 03:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1020912
Environment:
Last Closed:	2014-08-09 06:56:27 UTC
Embargoed:

Attachments	(Terms of Use)

Comment 2 Michael Hrivnak 2014-06-18 14:28:06 UTC

The fix to this does not belong in pulp. Sat6, given its specific use case and configuration of pulp, should add this to its selinux policy.

For pulp to solve this, we would have to:

1) require the puppet-server package, so that /etc/puppet/environments/ exists. We do not currently require this package.
2) modify the filesystem permissions of /etc/puppet/environments/
3) change the selinux policy on /etc/puppet/environments/

Changing the filesystem permissions and selinux policy on a directory owned by another package is not something pulp's package should do by default anyway.

More importantly, we would be allowing the apache user to have full write access to the /etc/puppet/environments/ folder, which is not a sane default. The security implications are huge. Allowing a user to opt-in to this *if* they want to use our puppet install distributor is reasonable. Introducing this major degradation of security by default for all users of pulp is not reasonable.

From our documentation at http://pulp-puppet-dev-guide.readthedocs.org/en/latest/plugin_conf.html#install-distributor:

"It is the user’s responsibility to ensure that Pulp can write to this directory."

Thoughts?

Comment 3 Lukas Zapletal 2014-06-18 17:58:49 UTC

Michael,

there is no requirement you need those directories to be created, or puppet-server to be present on the system at all. Puppet policy is in the core selinux policy in both RHEL6+ and Fedoras, therefore you can build on this safely without any dependency introduced. It's actually other way around - katello-selinux has no pulp-selinux dependency on the packaging level and we would need to introduce one (if we want to create rules for pulp selinux types).

By default, all files in /etc/pulp are labeled as puppet_etc_t, therefore what we expect is you folks to create a rule that allows writing/reading on this file context. For the security implications you described and because you run under Apache2 httpd domain (which must be very well hardened for sure), the best would be to create optional selinux boolean something like pulp_write_puppet or httpd_write_puppet_etc that would be turned off by default for pulp, but Satellite 6 would enable this flag. This is standard SELinux practice which is used everywhere, including http daemon (e.g. man httpd_selinux for examples).

Please reevaluate this once again, thanks.

Comment 4 Michael Hrivnak 2014-06-18 21:45:20 UTC

That's an interesting suggestion, and I can see value in having such a boolean provided by pulp. However, it doesn't solve the need to change filesystem permissions on /etc/puppet/environments.

I'll query the team. If we need this fast, I'm not sure we have anyone available on the pulp team with the selinux familiarity to do this quickly.

Comment 5 Lukas Zapletal 2014-06-19 10:15:51 UTC

Michael,

I was not aware that there are permissions involved. I thought it's only SELinux preventing from writing there.

We will need to make sure pulp/httpd can write to that directory. And this is our task for sure, we actually create the environments directory ourselves (puppet defaults just to /etc/puppet).

But for SELinux, this is all about types and domains, paths do not matter. Thanks for taking this in the team.

Comment 6 Randy Barlow 2014-06-24 17:48:17 UTC

https://github.com/pulp/pulp/pull/1020

Comment 7 Randy Barlow 2014-06-25 23:24:16 UTC

Fixed in 2.4.0-0.23.beta.

Comment 8 Preethi Thomas 2014-07-09 18:33:44 UTC

[root@cloud-qe-19 ~]# getenforce
Enforcing
[root@cloud-qe-19 ~]# 


[root@qe-blade-14 ~]# pulp-admin node sync run --node-id node1
This command may be exited via ctrl+c without affecting the request.




(1/2) Repository: puppet-repo
[==================================================] 100%


(2/2) Repository: zoo
[==================================================] 100%




Synchronization succeeded

+----------------------------------------------------------------------+
                       Child Node Synchronization
+----------------------------------------------------------------------+

Repository: 
  Action:          Merged
  Content Sources: 
    Downloads:     
      Source Id:       Parent Node
      Total Failed:    0
      Total Succeeded: 43
    Total Passes:  1
    Total Sources: 0
  Id:              puppet-repo
  Units:           
    Added:   43
    Removed: 0
    Updated: 0

Repository: 
  Action:          Merged
  Content Sources: 
    Downloads:     
      Source Id:       Parent Node
      Total Failed:    0
      Total Succeeded: 32
    Total Passes:  1
    Total Sources: 0
  Id:              zoo
  Units:           
    Added:   39
    Removed: 0
    Updated: 0



[root@qe-blade-14 ~]#

Comment 9 Randy Barlow 2014-08-09 06:56:27 UTC

This has been fixed in Pulp 2.4.0-1.

Note You need to log in before you can comment on or make changes to this bug.