1515499 – sysadm users cannot execute 'puppet agent' command

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1515499 - sysadm users cannot execute 'puppet agent' command

Summary: sysadm users cannot execute 'puppet agent' command

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.9
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1374441 1522745 1522765
TreeView+	depends on / blocked

Reported:	2017-11-20 22:41 UTC by Coby Isley
Modified:	2021-03-11 16:20 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In Red Hat Enterprise Linux 6.9, the puppet module in the SELinux policy package had been restructured to follow Red Hat Enterprise Linux 7 puppet4 model, and the domain for the /usr/bin/puppet binary file had been set to 'puppet_exec_t`. As a consequence, SELinux denied executing the 'puppet agent' command for the 'sysadm_t' confined user. With this update, the missing domain transitions have been added, and `puppet agent` can be now successfully executed by 'sysadm_t' with SELinux in Enforcing mode.
Clone Of:
Clones:	1522745 1522765 (view as bug list)
Environment:
Last Closed:	2018-06-19 05:11:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1871	0	None	None	None	2018-06-19 05:12:54 UTC

Description Coby Isley 2017-11-20 22:41:18 UTC

Description of problem:

SELinux policy version 3.7.19-306 appears to have restructured puppet module code to follow rhel7 puppet4 model, including changing /usr/bin/puppet binary to puppet_exec_t. 

It seems that introduced a regression where system administrators cannot execute 'puppet agent' command.  By default sysadm_t domain does not have transition rules to allow puppet to run in the puppet_t domain. Additional denials were generated because sysadmin_t does not have permissions to enter confined domains such as consoletype_t,  hostname_t, puppet_initrc_t etc to execute their 
respective commands. 

puppet_t does have permissions to enter those domains and run their  respective commands. Just like rhel7's version of the policy, 'puppet agent' command should
successfully transition to one of puppet's domain Instead of running in caller's domain. 

Following rhel7's model, rhel6's puppet module should export a couple of interfaces that would allow calling domain/role combination to transition to puppet_t domain.  Something like ..

########################################
## <summary>
##      Execute puppet in the puppet
##      domain.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`puppet_domtrans_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, puppet_exec_t, puppet_t)
')

#####################################
## <summary>
##      Execute puppet in the puppet
##      domain and allow the specified
##      role the puppet domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to transition.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`puppet_run_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        puppet_domtrans_puppet($1)
        role $2 types puppet_t;
')

With these interfaces, appropriate system administrators could be allowed to execute puppet.


Version-Release number of selected component (if applicable):

- SELinux policy version 3.7.19-306 


How reproducible:

- Each time


Steps to Reproduce:
1. Create a rhel6 system with the latest selinux-policy rpm.
2. Install and setup puppet
3. ssh into the system and become system administrator using "sudo -ir sysadm_r"  or login locally on the system as root in sysadm_r role.
4. Run "puppet agent --test --noop"


Actual results:
- Selinux is denying this interaction


Expected results:
- As this works in the later RHEL 7, RHEL 6 should ideally reflect this behavior as well.

Comment 12 Milos Malik 2017-12-06 09:33:14 UTC

log in via ssh as staff_u user -> switch to sysadm_r via newrole -> switch to root via su -> run puppet agent --test --noop --server

Following SELinux denial appears after disabling dontaudit rules:
----
type=SYSCALL msg=audit(12/06/2017 04:28:33.553:351) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xb9a740 a1=0xbaf4e0 a2=0xba1390 a3=0x38 items=0 ppid=25156 pid=25576 auid=staffroot uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=17 comm=puppet exe=/usr/bin/ruby subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute_no_trans } for  pid=25576 comm=bash path=/usr/bin/puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute } for  pid=25576 comm=bash name=puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
----

Comment 19 errata-xmlrpc 2018-06-19 05:11:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1871

Note You need to log in before you can comment on or make changes to this bug.