Bug 1771414
| Summary: | Update Cockpit SELinux policy for cockpit-tls and client certificate authentication | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Pitt <mpitt> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | jrusz, lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | Patch |
| Target Release: | 8.2 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:41:41 UTC | Type: | Feature Request |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1678465 | ||
|
Description
Martin Pitt
2019-11-12 10:15:42 UTC
Validation:
1. I built a RHEL 8.2 image from current nightlies (with virt-install), containing the *previous* selinux-policy 3.14.3-29.el8.
2. I then installed cockpit-ws its %post hack dropped, i. e. no local SELinux hacking any more.
3. This ends up with /usr/libexec/cockpit-tls and /usr/libexec/cockpit-wsinstance-factory having the wrong type "bin_t".
4. I start cockpit, and surprisingly it *works* -- there are no SELinux violations. ("getenforce" confirms that it's on). On second thought this makes sense, as cockpit-tls (the top-level process) would just run basically unconfined:
# ps auxZ | grep cockpit
system_u:system_r:unconfined_service_t:s0 cockpit+ 1217 1.0 0.5 549128 4740 ? Ssl 15:38 0:00 /usr/libexec/cockpit-tls
system_u:system_r:cockpit_ws_t:s0 cockpit+ 1223 2.2 1.1 532728 10044 ? Ssl 15:38 0:00 /usr/libexec/cockpit-ws --for-tls-proxy --port=0
system_u:system_r:cockpit_session_t:s0 root 1234 0.1 0.8 143592 7160 ? S 15:38 0:00 /usr/libexec/cockpit-session localhost
5. I grabbed 3.14.3-30 rpms from https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1038370 (they are not in nightly compose yet), rpm -U'ed them, and confirm that the types are now correct:
/usr/libexec/cockpit-tls and /usr/libexec/cockpit-wsinstance-factory are now cockpit_ws_exec_t.
6. I rebooted, and confirm that I can still log into cockpit. cockpit-tls is now correctly confined:
system_u:system_r:cockpit_ws_t:s0 cockpit+ 1142 1.1 0.8 549128 6820 ? Ssl 15:45 0:00 /usr/libexec/cockpit-tls
system_u:system_r:cockpit_ws_t:s0 cockpit+ 1147 2.6 1.2 311460 10292 ? Ssl 15:45 0:00 /usr/libexec/cockpit-ws --for-tls-proxy --port=0
system_u:system_r:cockpit_session_t:s0 root 1159 0.2 0.8 143592 7212 ? S 15:45 0:00 /usr/libexec/cockpit-session localhost
7. I successfully ran cockpit's TLS and certificate auth tests against that image.
So from my POV this works great, and I consider this verified. Thanks Lukas!
I just can't formally set "VERIFIED" -- Honza, do you have a way to re-run your sanity tests once this is in the nightly compose, and sign off here? Thanks!
I also sent https://github.com/cockpit-project/cockpit/pull/13301 to drop the %post hack.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1773 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |