Description of problem: Saw the following when installing a package (amanda) that creates a user with useradd: Mar 27 10:34:11 vault kernel: audit(1143480851.376:613): avc: denied { read } for pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872 scontext=root:system_r:useradd_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Mar 27 10:34:11 vault kernel: audit(1143480851.376:614): avc: denied { getattr } for pid=17049 comm="useradd" name="nsswitch.conf" dev=hda3 ino=807872 scontext=root:system_r:useradd_t:s0-s0:c0.c255 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.25-2.fc5 How reproducible: every time
Problem here is that nsswitch.conf has the wrong context? Any idea how this happened. This file should have a context of etc_t? Do you know of any application that updates this file? restorecon /etc/nsswitch.conf should fix it.
It's managed by cfengine, which gets run by rc.local during the first boot of a machine and copies it over from the server. Hmm, I imagine cfegine is a nightmare as far as selinux is concerned. Would the ideal thing be for cfengine to run restorecon (or the equivalent) on every file it updates? Or should contexts be preserved some other way?
Yes it should call restorecon, or better yet have restorcon built in. As in reality the files should get created with the correct context. CFEngine needs to be made SELinux aware.
Daniel: cfengine is not part of Fedora Core, it is in extras.
Created attachment 147352 [details] Patch to call restorecon after editing files Here's a dumb patch to call restorecon on modified files, but there are probably various other places in need of selinux-love. Seems to work for me, but take care...
Hi Panu, thanks for the patch. I'm going to work on linking cfengine against libselinux and calling the selinux functions directly.
Created attachment 150363 [details] selinux support for file copies and editfiles I've created a patch to add selinux support to cfengine. So far, it only supports regular file copies and editfiles. If the destination file exists, its context will be used for the newly copied/edited file. If the destination file does not exist, the default context for the destination directory will be used. I've created an SRPM and some testing rpms for FC6 and EL4, they can be found here: http://www.sheltren.com/cfengine/ I'd appreciate any testing or changes/additions. If you patch the source manually (patch is made against 2.1.22), you'll need to run autoconf/automake and then use the '--enable-selinux' configure flag. If you use the RPMs, this will be done for you. This has also been added to SVN upstream, but I thought I might get some interested parties here to test it out. Thanks, Dan Walsh, for your guidance with the libselinux functions.
Created attachment 152279 [details] patch to configure.ac I've been running 2.1.22-2 locally here on FC5 and FC6 without much issue. Haven't really dug into how accurate it is setting contexts though. I do need the attached patch to compile on current rawhide though. Submitted upstream as well.
Apparently this is in upstream svn already too.
Great, I would like to get this in as soon as we can.
Great, thanks for testing it out. I'll add the autoconf patch, the SELinux patch, and the "fedora release" patch (in #235922) and roll out a package for rawhide soon.
Just built this for rawhide, also includes the autoconf patch, and patch to detect latest fedora/redhat releases.
Here's a case the doesn't work: editfiles: #Use hostname as dhcp client id { /etc/dhclient.conf AutoCreate # Try to get their assigned IP AppendIfNoSuchLine "send dhcp-client-identifier \"$(host)\";" # Let people use short names AppendIfNoSuchLine "append domain-name \" cora.nwra.com\";" # Try to always have a working name server AppendIfNoSuchLine "append domain-name-servers 65.125.157.180;" } If /etc/dhclient.conf doesn't exist, it gets created with the wrong label: [root@cynosure ppkeys]# rm /etc/dhclient.conf rm: remove regular file `/etc/dhclient.conf'? y [root@cynosure ppkeys]# cfagent -q [root@cynosure ppkeys]# restorecon -r -v /etc restorecon reset /etc/dhclient.conf context user_u:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0
Hi Orion, thanks for catching that. Yep, it looks like my patch is assuming that the file exists for edits (copies should work fine for new files). I'll work on the editfiles patch and rebuild.
You need the matchpathcon, setfscreatecon pair to do this.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've updated the patch so it should work with edits on non-existant files. I don't have a box handy for testing at the moment, but I've built some packages using the updated patch. The (FC6 + SRPM) packages and patch can be found here: http://www.sheltren.com/cfengine/ 8e41d86945b260dffac29b6d1dce4d45f6e4024d cfengine-2.1.22-4.fc6.i386.rpm da8a5f968d3dec1c3da3292942991f44e34d3891 cfengine-2.1.22-4.fc6.src.rpm 7a35bde042b9d1e08466e44bceb3af6c5c574a7f cfengine-2.1.22-4.fc6.x86_64.rpm Orion, if you could give the updated RPM a try and let me know if it works for you I'd appreciate it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGMAtDKe7MLJjUbNMRAgCGAJ9VvFy+p4/3u3JxMjPEFC2Sabgh/ACfdE+l mgVsPE9GRy3IcEu/qa4rfvM= =Ykdo -----END PGP SIGNATURE-----
(In reply to comment #17) > Orion, if you could give the updated RPM a try and let me know if it works > for you I'd appreciate it. Does not appear to work. root@orizaba etc]# restorecon -v dhclient.conf restorecon reset /etc/dhclient.conf context root:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Orion, thanks for trying it out. I've been traveling and am finally able to access a machine to test on... I've added a new patch which should fix the problem you were having when using AutoCreate for editfiles. You can find the patch and an updated SRPM here: http://www.sheltren.com/cfengine/ 6d1f5dea285c18441aa49231a9dfe012ef438661 cfengine-2.1.22-4.fc6.src.rpm That worked for me, but let me know if you have any problems with it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFGQQaBKe7MLJjUbNMRAiyEAKCV64UB7dKUzn0guOJKEosqny2IIwCgx5qG BYN06rlYnoqfKDzH620GnFg= =ZlCG -----END PGP SIGNATURE-----
This version works for me.
I've built some packages of 2.2.0 which include the latest selinux patch. I plan to push these to FC6 & 7 once the freeze is over for F7. In the meantime, people can grab the 2.2.0 packages for FC6 (and el4/el5) from here if they are interested: http://www.sheltren.com/cfengine/testing/