Bug 187120 - cfengine needs to be SELinux aware
Summary: cfengine needs to be SELinux aware
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cfengine
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Sheltren
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-28 16:50 UTC by Orion Poplawski
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: 2.2.0
Clone Of:
Environment:
Last Closed: 2007-10-17 20:10:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Patch to call restorecon after editing files (669 bytes, patch)
2007-02-05 12:57 UTC, Panu Matilainen
no flags Details | Diff
selinux support for file copies and editfiles (3.93 KB, patch)
2007-03-19 13:57 UTC, Jeff Sheltren
no flags Details | Diff
patch to configure.ac (1.14 KB, patch)
2007-04-11 15:08 UTC, Orion Poplawski
no flags Details | Diff

Description Orion Poplawski 2006-03-28 16:50:00 UTC
Description of problem:

Saw the following when installing a package (amanda) that creates a user with
useradd:

Mar 27 10:34:11 vault kernel: audit(1143480851.376:613): avc:  denied  { read }
for  pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872
scontext=root:system_r:useradd_t:s0-s0:c0.c255
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Mar 27 10:34:11 vault kernel: audit(1143480851.376:614): avc:  denied  { getattr
} for  pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872
scontext=root:system_r:useradd_t:s0-s0:c0.c255
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.25-2.fc5

How reproducible:
every time

Comment 2 Daniel Walsh 2006-05-09 20:25:34 UTC
Problem here is that nsswitch.conf has the wrong context?  Any idea how this
happened.  This file should have a context of etc_t?  Do you know of any
application that updates this file? 

restorecon /etc/nsswitch.conf should fix it.

Comment 3 Orion Poplawski 2006-05-09 20:37:45 UTC
It's managed by cfengine, which gets run by rc.local during the first boot of a
machine and copies it over from the server.  Hmm, I imagine cfegine is a
nightmare as far as selinux is concerned.  Would the ideal thing be for cfengine
to run restorecon (or the equivalent) on every file it updates?  Or should
contexts be preserved some other way?

Comment 4 Daniel Walsh 2006-05-09 23:31:01 UTC
Yes it should call restorecon, or better yet have restorcon built in.  As in
reality the files should get created with the correct context.

CFEngine needs to be made SELinux aware.



Comment 5 Thomas Woerner 2006-05-10 09:58:57 UTC
Daniel: cfengine is not part of Fedora Core, it is in extras.


Comment 6 Panu Matilainen 2007-02-05 12:57:55 UTC
Created attachment 147352 [details]
Patch to call restorecon after editing files

Here's a dumb patch to call restorecon on modified files, but there are
probably various other places in need of selinux-love. Seems to work for me,
but take care...

Comment 7 Jeff Sheltren 2007-02-24 18:51:05 UTC
Hi Panu, thanks for the patch.

I'm going to work on linking cfengine against libselinux and calling the selinux
functions directly.

Comment 8 Jeff Sheltren 2007-03-19 13:57:06 UTC
Created attachment 150363 [details]
selinux support for file copies and editfiles

I've created a patch to add selinux support to cfengine.  So far, it only
supports regular file copies and editfiles.  If the destination file exists,
its context will be used for the newly copied/edited file.  If the destination
file does not exist, the default context for the destination directory will be
used.

I've created an SRPM and some testing rpms for FC6 and EL4, they can be found
here: http://www.sheltren.com/cfengine/

I'd appreciate any testing or changes/additions.  If you patch the source
manually (patch is made against 2.1.22), you'll need to run autoconf/automake
and then use the '--enable-selinux' configure flag.  If you use the RPMs, this
will be done for you.

This has also been added to SVN upstream, but I thought I might get some
interested parties here to test it out.

Thanks, Dan Walsh, for your guidance with the libselinux functions.

Comment 9 Orion Poplawski 2007-04-11 15:08:49 UTC
Created attachment 152279 [details]
patch to configure.ac

I've been running 2.1.22-2 locally here on FC5 and FC6 without much issue. 
Haven't really dug into how accurate it is setting contexts though.  I do need
the attached patch to compile on current rawhide though.  Submitted upstream as
well.

Comment 10 Orion Poplawski 2007-04-11 15:12:17 UTC
Apparently this is in upstream svn already too.

Comment 11 Daniel Walsh 2007-04-11 15:16:18 UTC
Great, I would like to get this in as soon as we can.

Comment 12 Jeff Sheltren 2007-04-11 15:20:52 UTC
Great, thanks for testing it out.  I'll add the autoconf patch, the SELinux
patch, and the "fedora release" patch (in #235922) and roll out a package for
rawhide soon.

Comment 13 Jeff Sheltren 2007-04-13 13:11:14 UTC
Just built this for rawhide, also includes the autoconf patch, and patch to
detect latest fedora/redhat releases.

Comment 14 Orion Poplawski 2007-04-25 17:45:15 UTC
Here's a case the doesn't work:

editfiles:
   #Use hostname as dhcp client id
   { /etc/dhclient.conf
      AutoCreate
      # Try to get their assigned IP
      AppendIfNoSuchLine "send dhcp-client-identifier \"$(host)\";"
      # Let people use short names
      AppendIfNoSuchLine "append domain-name \" cora.nwra.com\";"
      # Try to always have a working name server
      AppendIfNoSuchLine "append domain-name-servers 65.125.157.180;"
   }

If /etc/dhclient.conf doesn't exist, it gets created with the wrong label:

[root@cynosure ppkeys]# rm /etc/dhclient.conf
rm: remove regular file `/etc/dhclient.conf'? y
[root@cynosure ppkeys]# cfagent -q
[root@cynosure ppkeys]# restorecon -r -v /etc
restorecon reset /etc/dhclient.conf context
user_u:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0


Comment 15 Jeff Sheltren 2007-04-25 17:57:22 UTC
Hi Orion, thanks for catching that.  Yep, it looks like my patch is assuming
that the file exists for edits (copies should work fine for new files).

I'll work on the editfiles patch and rebuild.

Comment 16 Daniel Walsh 2007-04-25 18:45:15 UTC
You need the matchpathcon, setfscreatecon pair to do this.

Comment 17 Jeff Sheltren 2007-04-26 02:16:27 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've updated the patch so it should work with edits on non-existant files.
I don't have a box handy for testing at the moment, but I've built some
packages using the updated patch.  The (FC6 + SRPM) packages and patch
can be found here: http://www.sheltren.com/cfengine/ 

8e41d86945b260dffac29b6d1dce4d45f6e4024d  cfengine-2.1.22-4.fc6.i386.rpm
da8a5f968d3dec1c3da3292942991f44e34d3891  cfengine-2.1.22-4.fc6.src.rpm
7a35bde042b9d1e08466e44bceb3af6c5c574a7f  cfengine-2.1.22-4.fc6.x86_64.rpm

Orion, if you could give the updated RPM a try and let me know if it works
for you I'd appreciate it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGMAtDKe7MLJjUbNMRAgCGAJ9VvFy+p4/3u3JxMjPEFC2Sabgh/ACfdE+l
mgVsPE9GRy3IcEu/qa4rfvM=
=Ykdo
-----END PGP SIGNATURE-----

Comment 18 Orion Poplawski 2007-04-26 16:26:25 UTC
(In reply to comment #17)
> Orion, if you could give the updated RPM a try and let me know if it works
> for you I'd appreciate it.

Does not appear to work.

root@orizaba etc]# restorecon -v dhclient.conf
restorecon reset /etc/dhclient.conf context
root:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0


Comment 19 Jeff Sheltren 2007-05-08 23:24:42 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Orion, thanks for trying it out.  I've been traveling and
am finally able to access a machine to test on...

I've added a new patch which should fix the problem you were
having when using AutoCreate for editfiles.

You can find the patch and an updated SRPM here:
http://www.sheltren.com/cfengine/

6d1f5dea285c18441aa49231a9dfe012ef438661  cfengine-2.1.22-4.fc6.src.rpm

That worked for me, but let me know if you have any problems with it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGQQaBKe7MLJjUbNMRAiyEAKCV64UB7dKUzn0guOJKEosqny2IIwCgx5qG
BYN06rlYnoqfKDzH620GnFg=
=ZlCG
-----END PGP SIGNATURE-----

Comment 20 Orion Poplawski 2007-05-09 22:34:44 UTC
This version works for me.

Comment 21 Jeff Sheltren 2007-05-11 12:42:13 UTC
I've built some packages of 2.2.0 which include the latest selinux patch.  I
plan to push these to FC6 & 7 once the freeze is over for F7.  In the meantime,
people can grab the 2.2.0 packages for FC6 (and el4/el5) from here if they are
interested:
http://www.sheltren.com/cfengine/testing/


Note You need to log in before you can comment on or make changes to this bug.