Hide Forgot
Description of problem: puppetmaster needs to run chage, which results in the following denial: type=AVC msg=audit(1306723316.360:211): avc: denied { getattr } for pid=22769 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-1 ino=1444742 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file I was able to fix this with a custom local policy granting usermanage_domtrans_passwd(puppetmaster_t).
Just as i suspected: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=aa44245b87c44597c81d106d12a201d50c58184b
*** Bug 699330 has been marked as a duplicate of this bug. ***
Ricky, could you just try to disable your local policy # semodule -d your_module # semanage permissive -a puppetmaster_t re-test it and run # ausearch -m avc -ts recent
Created attachment 501762 [details] puppetmaster avcs Here's the output. The duplicate entries are because I'm running several instances of the puppetmaster process.
Looks like it is actually not running it in those avc denials but checking for execute (open X_ok) and its getting attributes of the chage executable file. If it was actually running chage we would also have seen an execute_no_trans avc denial.
i think we need a: usermanage_check_exec_passwd() allow $1 passwd_exec_t:file { getattr_file_perms execute };
Ahh, good catch, that makes a lot more sense than actually executing chage (I was fooled by the "execute" in the denial message). I've confirmed that a policy with just allow puppetmaster_t passwd_exec_t:file { getattr_file_perms execute }; is sufficient. Since I think the same code in puppet is what caused previous useradd denials in puppetmaster, the usermanage_domtrans_useradd(puppetmaster_t) in the current selinux-policy can probably be restricted more as well.
I actually added the usermanage_check_exec_passwd(puppetmaster_t) in my "puppetca" patch: https://bugzilla.redhat.com/show_bug.cgi?id=703813 dwalsh merged it but changed it to use audit-access which i am not sure will do the trick (i am actually pretty sure it doesnt do the trick)
https://bugzilla.redhat.com/attachment.cgi?id=498491&action=diff
# ausyscall 21 access Ricky, # rpm -q selinux-policy
If audit_access works we will still need to add getattr i suspect. We may also be able to replace the other usermanage_domtrans.* interface calls in puppet.te
Yes.
(In reply to comment #10) > # ausyscall 21 > access > > Ricky, > > # rpm -q selinux-policy selinux-policy-3.9.16-24.fc15.noarch
Edited the "access_check" interfaces to include get attributes, and changed all usermanage calls by puppetmaster to access check. http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=884c081a90563159afc3d6b88ca35a25313e69c4
I am fine with this in Rawhide. But will wait with all changes in F15. I am just adding fixes for passwd_exec_t. Fixed in selinux-policy-3.9.16-27.fc15