Bug 187120 - cfengine needs to be SELinux aware
cfengine needs to be SELinux aware
Product: Fedora
Classification: Fedora
Component: cfengine (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Sheltren
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2006-03-28 11:50 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version: 2.2.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-17 16:10:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to call restorecon after editing files (669 bytes, patch)
2007-02-05 07:57 EST, Panu Matilainen
no flags Details | Diff
selinux support for file copies and editfiles (3.93 KB, patch)
2007-03-19 09:57 EDT, Jeff Sheltren
no flags Details | Diff
patch to configure.ac (1.14 KB, patch)
2007-04-11 11:08 EDT, Orion Poplawski
no flags Details | Diff

  None (edit)
Description Orion Poplawski 2006-03-28 11:50:00 EST
Description of problem:

Saw the following when installing a package (amanda) that creates a user with

Mar 27 10:34:11 vault kernel: audit(1143480851.376:613): avc:  denied  { read }
for  pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file
Mar 27 10:34:11 vault kernel: audit(1143480851.376:614): avc:  denied  { getattr
} for  pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

Version-Release number of selected component (if applicable):

How reproducible:
every time
Comment 2 Daniel Walsh 2006-05-09 16:25:34 EDT
Problem here is that nsswitch.conf has the wrong context?  Any idea how this
happened.  This file should have a context of etc_t?  Do you know of any
application that updates this file? 

restorecon /etc/nsswitch.conf should fix it.
Comment 3 Orion Poplawski 2006-05-09 16:37:45 EDT
It's managed by cfengine, which gets run by rc.local during the first boot of a
machine and copies it over from the server.  Hmm, I imagine cfegine is a
nightmare as far as selinux is concerned.  Would the ideal thing be for cfengine
to run restorecon (or the equivalent) on every file it updates?  Or should
contexts be preserved some other way?
Comment 4 Daniel Walsh 2006-05-09 19:31:01 EDT
Yes it should call restorecon, or better yet have restorcon built in.  As in
reality the files should get created with the correct context.

CFEngine needs to be made SELinux aware.

Comment 5 Thomas Woerner 2006-05-10 05:58:57 EDT
Daniel: cfengine is not part of Fedora Core, it is in extras.
Comment 6 Panu Matilainen 2007-02-05 07:57:55 EST
Created attachment 147352 [details]
Patch to call restorecon after editing files

Here's a dumb patch to call restorecon on modified files, but there are
probably various other places in need of selinux-love. Seems to work for me,
but take care...
Comment 7 Jeff Sheltren 2007-02-24 13:51:05 EST
Hi Panu, thanks for the patch.

I'm going to work on linking cfengine against libselinux and calling the selinux
functions directly.
Comment 8 Jeff Sheltren 2007-03-19 09:57:06 EDT
Created attachment 150363 [details]
selinux support for file copies and editfiles

I've created a patch to add selinux support to cfengine.  So far, it only
supports regular file copies and editfiles.  If the destination file exists,
its context will be used for the newly copied/edited file.  If the destination
file does not exist, the default context for the destination directory will be

I've created an SRPM and some testing rpms for FC6 and EL4, they can be found
here: http://www.sheltren.com/cfengine/

I'd appreciate any testing or changes/additions.  If you patch the source
manually (patch is made against 2.1.22), you'll need to run autoconf/automake
and then use the '--enable-selinux' configure flag.  If you use the RPMs, this
will be done for you.

This has also been added to SVN upstream, but I thought I might get some
interested parties here to test it out.

Thanks, Dan Walsh, for your guidance with the libselinux functions.
Comment 9 Orion Poplawski 2007-04-11 11:08:49 EDT
Created attachment 152279 [details]
patch to configure.ac

I've been running 2.1.22-2 locally here on FC5 and FC6 without much issue. 
Haven't really dug into how accurate it is setting contexts though.  I do need
the attached patch to compile on current rawhide though.  Submitted upstream as
Comment 10 Orion Poplawski 2007-04-11 11:12:17 EDT
Apparently this is in upstream svn already too.
Comment 11 Daniel Walsh 2007-04-11 11:16:18 EDT
Great, I would like to get this in as soon as we can.
Comment 12 Jeff Sheltren 2007-04-11 11:20:52 EDT
Great, thanks for testing it out.  I'll add the autoconf patch, the SELinux
patch, and the "fedora release" patch (in #235922) and roll out a package for
rawhide soon.
Comment 13 Jeff Sheltren 2007-04-13 09:11:14 EDT
Just built this for rawhide, also includes the autoconf patch, and patch to
detect latest fedora/redhat releases.
Comment 14 Orion Poplawski 2007-04-25 13:45:15 EDT
Here's a case the doesn't work:

   #Use hostname as dhcp client id
   { /etc/dhclient.conf
      # Try to get their assigned IP
      AppendIfNoSuchLine "send dhcp-client-identifier \"$(host)\";"
      # Let people use short names
      AppendIfNoSuchLine "append domain-name \" cora.nwra.com\";"
      # Try to always have a working name server
      AppendIfNoSuchLine "append domain-name-servers;"

If /etc/dhclient.conf doesn't exist, it gets created with the wrong label:

[root@cynosure ppkeys]# rm /etc/dhclient.conf
rm: remove regular file `/etc/dhclient.conf'? y
[root@cynosure ppkeys]# cfagent -q
[root@cynosure ppkeys]# restorecon -r -v /etc
restorecon reset /etc/dhclient.conf context
Comment 15 Jeff Sheltren 2007-04-25 13:57:22 EDT
Hi Orion, thanks for catching that.  Yep, it looks like my patch is assuming
that the file exists for edits (copies should work fine for new files).

I'll work on the editfiles patch and rebuild.
Comment 16 Daniel Walsh 2007-04-25 14:45:15 EDT
You need the matchpathcon, setfscreatecon pair to do this.
Comment 17 Jeff Sheltren 2007-04-25 22:16:27 EDT
Hash: SHA1

I've updated the patch so it should work with edits on non-existant files.
I don't have a box handy for testing at the moment, but I've built some
packages using the updated patch.  The (FC6 + SRPM) packages and patch
can be found here: http://www.sheltren.com/cfengine/ 

8e41d86945b260dffac29b6d1dce4d45f6e4024d  cfengine-2.1.22-4.fc6.i386.rpm
da8a5f968d3dec1c3da3292942991f44e34d3891  cfengine-2.1.22-4.fc6.src.rpm
7a35bde042b9d1e08466e44bceb3af6c5c574a7f  cfengine-2.1.22-4.fc6.x86_64.rpm

Orion, if you could give the updated RPM a try and let me know if it works
for you I'd appreciate it.
Version: GnuPG v1.4.7 (Darwin)

Comment 18 Orion Poplawski 2007-04-26 12:26:25 EDT
(In reply to comment #17)
> Orion, if you could give the updated RPM a try and let me know if it works
> for you I'd appreciate it.

Does not appear to work.

root@orizaba etc]# restorecon -v dhclient.conf
restorecon reset /etc/dhclient.conf context
Comment 19 Jeff Sheltren 2007-05-08 19:24:42 EDT
Hash: SHA1

Hi Orion, thanks for trying it out.  I've been traveling and
am finally able to access a machine to test on...

I've added a new patch which should fix the problem you were
having when using AutoCreate for editfiles.

You can find the patch and an updated SRPM here:

6d1f5dea285c18441aa49231a9dfe012ef438661  cfengine-2.1.22-4.fc6.src.rpm

That worked for me, but let me know if you have any problems with it.
Version: GnuPG v1.4.7 (Darwin)

Comment 20 Orion Poplawski 2007-05-09 18:34:44 EDT
This version works for me.
Comment 21 Jeff Sheltren 2007-05-11 08:42:13 EDT
I've built some packages of 2.2.0 which include the latest selinux patch.  I
plan to push these to FC6 & 7 once the freeze is over for F7.  In the meantime,
people can grab the 2.2.0 packages for FC6 (and el4/el5) from here if they are

Note You need to log in before you can comment on or make changes to this bug.