1214223 – SELinux changes for Cockpit

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1214223 - SELinux changes for Cockpit

Summary: SELinux changes for Cockpit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1143927 1233233 1268732
TreeView+	depends on / blocked

Reported:	2015-04-22 09:33 UTC by Marius Vollmer
Modified:	2015-11-19 10:33 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.13.1-28.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1233233 1268732 (view as bug list)
Environment:
Last Closed:	2015-11-19 10:33:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Marius Vollmer 2015-04-22 09:33:07 UTC

The integration tests of Cockpit trigger these messages:

type=1400 audit(1429694589.393:6): avc:  denied  { create } for  pid=2580 comm="cockpit-session" name="HTTP_0" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=1400 audit(1429694589.394:7): avc:  denied  { write open } for  pid=2580 comm="cockpit-session" path="/var/tmp/HTTP_0" dev="vda" ino=230782 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

I think this fragment is needed, but I know nothing about SELinux:

# cockpit-session does these when authenticating via GSSAPI
allow cockpit_session_t tmp_t:file { create write open unlink };

Comment 3 Milos Malik 2015-04-22 11:00:24 UTC

The comment#0 contains AVCs for create, write and open operations. Please attach the AVC for unlink operation too:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 4 Marius Vollmer 2015-04-24 14:19:07 UTC

(In reply to Milos Malik from comment #3)
> The comment#0 contains AVCs for create, write and open operations. Please
> attach the AVC for unlink operation too:
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today

I think 'unlink' doesn't happen in our tests, and I don't know how to trigger it.
(Also, we redirect the audit messages to the systemd journal.  Can ausearch work with that?)

The accesses are caused by libgssapi_krb5.  Maybe there are some existing rules for programs that use libgssapi_krb5.

Stef, do you know whether we need 'unlink'?

Comment 5 Stef Walter 2015-05-13 13:22:44 UTC

> Stef, do you know whether we need 'unlink'?

I have no idea. It's deep in the bowels of GSSAPI. I would assume so.

Comment 8 Stef Walter 2015-09-03 09:08:16 UTC

FYI the upstream test provides the guidance to check this bug: test/check-realms TestNegotiate.testKerberos

Current failure: 

AssertionError: 'HTTP/1.1 200 OK' not found in 'HTTP/1.1 401 Authentication required\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 104\r\n\r\nHTTP/1.1 401 Authentication failed\r\nWWW-Authenticate: Negotiate oXkwd6ADCgEConAEbmBsBgkqhkiG9xIBAgIDAH5dMFugAwIBBaEDAgEepBEYDzIwMTUwOTAzMDg1OTMwWqUFAgMB+/qmAwIBPKkNGwtDT0NLUElULkxBTqohMB+gAwIBAaEYMBYbBEhUVFAbDngwLmNvY2twaXQubGFu\r\nContent-Length: 100\r\n\r\n<html><head><title>401 Authentication failed</title></head><body>Authentication failed</body></html>'

You can see that RHEL-7 is red here: http://files.cockpit-project.org/hubbot/

Comment 9 Milos Malik 2015-09-23 10:17:39 UTC

There are 2 cockpit policy modules:

# ls -l /etc/selinux/targeted/modules/active/modules/cockpit.pp 
-rw-r--r--. 1 root root 12264 Sep 23 11:57 /etc/selinux/targeted/modules/active/modules/cockpit.pp
# rpm -qf /etc/selinux/targeted/modules/active/modules/cockpit.pp 
selinux-policy-targeted-3.13.1-52.el7.noarch
# ls -l /usr/share/selinux/targeted/cockpit.pp 
-rw-r--r--. 1 root root 127304 Aug 17 18:33 /usr/share/selinux/targeted/cockpit.pp
# rpm -qf /usr/share/selinux/targeted/cockpit.pp 
cockpit-selinux-policy-0.71-1.el7.noarch
#

Now it depends on which of the packages is upgraded / installed as last.

The TC passes when cockpit module (version 1.0.0) from selinux-policy package is loaded.
The TC fails when cockpit module (version 1.9.0) from cockpit-selinux-policy package is loaded.

Comment 10 Milos Malik 2015-09-23 10:19:52 UTC

Is it possible to merge those cockpit policy modules?

Comment 11 Stef Walter 2015-09-23 14:33:56 UTC

Most of the changes have been merged. I think this is the last one. Once they have been merged, we do not need to build cockpit-selinux-policy on RHEL any longer.

Comment 12 Miroslav Grepl 2015-10-02 07:49:13 UTC

What needs to be merged? I believe we are up-to-date.

In this phase we have two policies with the same name which is wrong and could cause troubles.

Comment 13 Milos Malik 2015-10-04 08:42:26 UTC

@QE:
If cockpit-selinux-policy package is not installed at all then the TC passes.
If cockpit-selinux-policy package is installed, you have to remove it and reinstall selinux-policy-targeted package, which provides cockpit.pp, and the TC passes too.

@devel: I believe that all necessary rules / context were already merged.

Comment 14 Miroslav Grepl 2015-10-05 06:03:24 UTC

(In reply to Milos Malik from comment #13)
> @QE:
> If cockpit-selinux-policy package is not installed at all then the TC passes.
> If cockpit-selinux-policy package is installed, you have to remove it and
> reinstall selinux-policy-targeted package, which provides cockpit.pp, and
> the TC passes too.

That's correct because we have two same modules.

> 
> @devel: I believe that all necessary rules / context were already merged.

Yes, I agree.

Comment 17 Miroslav Vadkerti 2015-10-05 14:46:07 UTC

Moving back to correct state

Comment 19 errata-xmlrpc 2015-11-19 10:33:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.