1777263 – puppet and|or certmonger trigger SELinux AVC

Bug 1777263 - puppet and|or certmonger trigger SELinux AVC

Summary: puppet and|or certmonger trigger SELinux AVC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	16.0 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	16.0 (Train on RHEL 8.1)
Assignee:	Cédric Jeanneret
QA Contact:	Julie Pichon
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-27 10:07 UTC by Cédric Jeanneret
Modified:	2020-02-06 14:43 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-selinux-0.8.20-0.20191128201822.e19dabc.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-02-06 14:42:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	redhat-openstack openstack-selinux pull 47	0	'None'	closed	Add some policies for Certmonger	2021-02-15 07:53:56 UTC
Red Hat Product Errata	RHEA-2020:0283	0	None	None	None	2020-02-06 14:43:58 UTC

Description Cédric Jeanneret 2019-11-27 10:07:08 UTC

Description of problem:
type=PROCTITLE msg=audit(11/27/2019 09:26:29.654:7887) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml certmonger_ca 
type=SYSCALL msg=audit(11/27/2019 09:26:29.654:7887) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x63cde8 a1=0x7ffd10abada0 a2=0x7ffd10abada0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12093 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.654:7887) : avc:  denied  { search } for  pid=12093 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.719:7888) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml container_cli docker 
type=SYSCALL msg=audit(11/27/2019 09:26:29.719:7888) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x2550d88 a1=0x7ffffa5c96f0 a2=0x7ffffa5c96f0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12095 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.719:7888) : avc:  denied  { search } for  pid=12095 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.787:7889) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir 
type=SYSCALL msg=audit(11/27/2019 09:26:29.787:7889) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xf18d90 a1=0x7ffc8b7255c0 a2=0x7ffc8b7255c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.787:7889) : avc:  denied  { search } for  pid=12097 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.853:7890) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir 
type=SYSCALL msg=audit(11/27/2019 09:26:29.853:7890) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xb48df0 a1=0x7ffe08af6430 a2=0x7ffe08af6430 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12099 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.853:7890) : avc:  denied  { search } for  pid=12099 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(11/27/2019 09:26:29.919:7891) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate 
type=SYSCALL msg=audit(11/27/2019 09:26:29.919:7891) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x1548df0 a1=0x7fff5cf3e5c0 a2=0x7fff5cf3e5c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) 
type=AVC msg=audit(11/27/2019 09:26:29.919:7891) : avc:  denied  { search } for  pid=12101 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0

Version-Release number of selected component (if applicable):
openstack-selinux-0.8.20-0.20191125094339.a4fcc2c.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy osp-16 undercloud|director with internal CA
2. Check /var/log/audit/audit.log
3.

Actual results:
We get a bunch of denials related to certmonger and puppet


Expected results:
No AVC

Additional info:
The following parameters are set in the undercloud.conf, in the DEFAULT section:
generate_service_certificate = True
certificate_generation_ca = local

The provided output is generated using `cat /var/log/audit/audit.log | ausearch -i | less' and searching for "denied" string.

We might want to allow certmonger_t to manage file patterns on puppet_etc_t ? Not really sure of the potential implications.

Comment 1 Cédric Jeanneret 2019-11-27 12:32:03 UTC

ok, since it's read-only, we can use the nice read_file_pattern (and add the "search" for directories). Providing a PR shortly.

Comment 5 Cédric Jeanneret 2020-01-06 07:35:00 UTC

Hello Julie,

Would you be able to verify this one? It wouldn't make much sense if I verify it, would it? :)

Thanks!

C.

Comment 6 Julie Pichon 2020-01-06 13:33:26 UTC

I don't have the resources to check on a working environment, but I can do a sanity check and also have confidence based on the testing we did at the time.

Verified using openstack-selinux-0.8.20-0.20191220123532.2f2c423.el8ost.

Comment 9 errata-xmlrpc 2020-02-06 14:42:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283

Note You need to log in before you can comment on or make changes to this bug.