Bug 718390 - Shipped SELinux policy prevents Puppet 2.6/2.7 from working
Summary: Shipped SELinux policy prevents Puppet 2.6/2.7 from working
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
: 732486 (view as bug list)
Depends On:
Blocks: 666094
TreeView+ depends on / blocked
 
Reported: 2011-07-02 10:03 UTC by Yury V. Zaytsev
Modified: 2018-11-26 18:44 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.7.19-118.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:08:56 UTC
Target Upstream Version:


Attachments (Terms of Use)
Addon policy to allow puppetmaster to start (512 bytes, text/plain)
2011-07-02 10:06 UTC, Yury V. Zaytsev
no flags Details
New version of my custom policy (857 bytes, text/plain)
2011-08-04 08:13 UTC, Yury V. Zaytsev
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Yury V. Zaytsev 2011-07-02 10:03:48 UTC
Description of problem:

Upon startup, the latest puppetmaster now tries to getattr & execute /usr/bin/chage which has not been previously described in the policy, so it generates SELinux denials and fails to start with an obscure error message. Also, it wants to search sysfs and only when it is allowed to do so, it starts happily.

Puppet & Puppet master are a crucial pieces of software to be run on RHEL, so this definitively needs fixing. Additionally, the current RHEL6 policy doesn't cover puppetca, but I am not sure if this is worth it to be backported from Fedora or only minimal changes should be made to allow the new versions of Puppet suite to run.

How reproducible:


Steps to Reproduce:
1. Install Puppet 2.7.1 (packaging available from RepoForge)
2. Attempt to start Puppet master
  
Actual results:

[root@puppet ~]# service puppetmaster start
Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent
directory /var/lib/puppet/ssl/ca does not exist
                                                           [FAILED]

Expected results:

[root@puppet ~]# service puppetmaster start
Starting puppetmaster:                                     [  OK  ]

Additional info:

I posted the denials to #711804, where it was suggested that I open a separate bug for RHEL6. I came up with the attached policy and now, at least, puppetmaster of puppet 2.7.1 starts.

Could you please advise me on what would be the expected TAT on this bug?

I'd like to know if this can be fixed as a regular update, or I'd better ship an addon SELinux policy with my puppet 2.7.1 packages (RepoForge). If this can be fixed quickly I'd rather not do it, because then I would need to Obsolete: my policy.

Comment 1 Yury V. Zaytsev 2011-07-02 10:06:24 UTC
Created attachment 510984 [details]
Addon policy to allow puppetmaster to start

Comment 3 Miroslav Grepl 2011-07-11 08:28:58 UTC
I need to backport changes from Fedora.

Comment 4 Miroslav Grepl 2011-07-20 10:06:03 UTC
Fixed in selinux-policy-3.7.19-104.el6

Comment 5 Todd Zullinger 2011-07-22 19:39:42 UTC
Miroslav,

Thanks for the backported policy update. Do you know about how long this will take to get pushed into the rhel6 update channel?

Comment 6 Daniel Walsh 2011-07-22 20:40:53 UTC
I push them out to people.redhat.com/dwalsh/SELinux/RHEL6

Comment 9 Yury V. Zaytsev 2011-08-01 14:39:47 UTC
Dan, could you please upload selinux-policy-3.7.19-106.el6 binary/src to your repo? I'm seeing more denials and I'd like to test if those have been also fixed pro-actively by backporting changes from Fedora or I need to report them as well.

Thanks!

Comment 10 Yury V. Zaytsev 2011-08-01 14:42:47 UTC
P.S. I do have access to FastTrack, but the packages are not there yet.

P.P.S. It's the node/port bind thing that I am talking about:

module puppetmaster 1.0;

require {
        type puppetmaster_t;
        type node_t;
        type port_t;
        class udp_socket { name_bind node_bind };
}

#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;

Comment 11 Miroslav Grepl 2011-08-01 14:44:39 UTC
Please attach raw AVC msgs. I will do a new RHEL6 selinux-policy build tomorrow.

Comment 12 Yury V. Zaytsev 2011-08-01 14:49:26 UTC
Summary:

SELinux is preventing /usr/bin/ruby "name_bind" access .

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ udp_socket ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          62427
Host                          XXX
Source RPM Packages           ruby-1.8.7.299-7.el6_1.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-93.el6_1.2
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     XXX
Platform                      Linux XXX
                              2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20
                              14:15:38 EDT 2011 x86_64 x86_64
Alert Count                   13
First Seen                    Mon Aug  1 15:40:45 2011
Last Seen                     Mon Aug  1 16:13:08 2011
Local ID                      2dd7655d-b452-4eb8-a9b8-cbf7d7c8f444
Line Numbers                  

Raw Audit Messages            

node=XXX type=AVC msg=audit(1312207988.988:14129): avc:  denied  { name_bind } for  pid=17866 comm="puppetmasterd" src=62427 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

node=XXX type=SYSCALL msg=audit(1312207988.988:14129): arch=c000003e syscall=49 success=no exit=-13 a0=17 a1=4b21500 a2=10 a3=40 items=0 ppid=1 pid=17866 auid=0 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1082 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)


-------------------------------------------------------------------------------


Summary:

SELinux is preventing /usr/bin/ruby "node_bind" access .

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:node_t:s0
Target Objects                None [ udp_socket ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          50157
Host                          XXX
Source RPM Packages           ruby-1.8.7.299-7.el6_1.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-93.el6_1.2
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     XXX
Platform                      Linux XXX
                              2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20
                              14:15:38 EDT 2011 x86_64 x86_64
Alert Count                   9
First Seen                    Mon Aug  1 15:40:45 2011
Last Seen                     Mon Aug  1 16:11:08 2011
Local ID                      ac17f647-8613-4dc9-8331-6dd33a3413ff
Line Numbers                  

Raw Audit Messages            

node=XXX type=AVC msg=audit(1312207868.949:14122): avc:  denied  { node_bind } for  pid=17866 comm="puppetmasterd" src=50157 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket

node=XXX type=SYSCALL msg=audit(1312207868.949:14122): arch=c000003e syscall=49 success=no exit=-13 a0=16 a1=49e00d0 a2=10 a3=40 items=0 ppid=1 pid=17866 auid=0 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1082 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)

Comment 13 Yury V. Zaytsev 2011-08-03 11:38:28 UTC
Yet another one that I had to add to my private policy:


Summary:

SELinux is preventing /usr/bin/ruby "relabelfrom" access on auth.conf.

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:puppetmaster_t:s0
Target Context                unconfined_u:object_r:puppet_etc_t:s0
Target Objects                auth.conf [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          XXX
Source RPM Packages           ruby-1.8.7.299-7.el6_1.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-93.el6_1.2
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     XXX
Platform                      Linux XXX
                              2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20
                              14:15:38 EDT 2011 x86_64 x86_64
Alert Count                   8
First Seen                    Sun Jul  3 03:31:02 2011
Last Seen                     Wed Aug  3 10:15:39 2011
Local ID                      d4686f8d-9853-4e54-9341-f66f631abb85
Line Numbers                  

Raw Audit Messages            

node=XXX type=AVC msg=audit(1312359339.27:12): avc:  denied  { relabelfrom } for  pid=1967 comm="puppetmasterd" name="auth.conf" dev=dm-0 ino=393383 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=file

node=XXX type=SYSCALL msg=audit(1312359339.27:12): arch=c000003e syscall=189 success=no exit=-13 a0=2f7f7e0 a1=7f9758749259 a2=2f88a60 a3=22 items=0 ppid=1966 pid=1967 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)

Comment 14 Yury V. Zaytsev 2011-08-04 08:12:23 UTC
Yet another one:

Summary:

SELinux is preventing /usr/bin/ruby "relabelto" access on auth.conf.

Detailed Description:

SELinux denied access requested by puppetmasterd. It is not expected that this
access is required by puppetmasterd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:puppetmaster_t:s0
Target Context                system_u:object_r:puppet_etc_t:s0
Target Objects                auth.conf [ file ]
Source                        puppetmasterd
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          XXX
Source RPM Packages           ruby-1.8.7.299-7.el6_1.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-93.el6_1.2
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     XXX
Platform                      Linux XXX
                              2.6.32-131.6.1.el6.x86_64 #1 SMP Mon Jun 20
                              14:15:38 EDT 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Thu Aug  4 10:01:47 2011
Last Seen                     Thu Aug  4 10:01:47 2011
Local ID                      9797cad5-8d83-4e22-887f-073795609148
Line Numbers                  

Raw Audit Messages            

node=XXX type=AVC msg=audit(1312444907.124:12): avc:  denied  { relabelto } for  pid=1965 comm="puppetmasterd" name="auth.conf" dev=dm-0 ino=393382 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

node=XXX type=SYSCALL msg=audit(1312444907.124:12): arch=c000003e syscall=189 success=no exit=-13 a0=2e4c370 a1=7f0113f2e259 a2=2e555f0 a3=22 items=0 ppid=1964 pid=1965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)

Comment 15 Yury V. Zaytsev 2011-08-04 08:13:06 UTC
Created attachment 516652 [details]
New version of my custom policy

Comment 16 Miroslav Grepl 2011-08-04 14:13:33 UTC
This shoud be fixed in the latest RHEL6 policy.


Dan,
could you upload it. 

selinux-policy-3.7.19-106.el6

Comment 17 Orion Poplawski 2011-08-08 21:26:34 UTC
I still get:

type=AVC msg=audit(1312838690.796:71801): avc:  denied  { search } for  pid=4896 comm="puppetmasterd" name="nslcd" dev=dm-4 ino=655384 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:nslcd_var_run_t:s0 tclass=dir

with:
puppet-server-2.6.6-1.el6.noarch
selinux-policy-3.7.19-106.el6.noarch

Although it seems to start up fine.

Comment 18 Yury V. Zaytsev 2011-08-09 07:21:18 UTC
Hi Orion!

Would you mind testing my puppet-2.7.1-1 packages to see if there are any more denials that we will be pushing into RepoForge as soon as this issue is resolved?

http://rpm.zaytsev.net/test/puppet/

I'm now running customized packages with an addon SELinux policy of my own in production, so I can't really test it with stock policy and rather migrate to 2.7.3 directly when it comes out.

Thanks!

Comment 19 Orion Poplawski 2011-08-09 22:01:36 UTC
Yury, I think I'm just going to stick with puppet from EPEL for now.  Thanks.

Comment 20 Yury V. Zaytsev 2011-08-10 07:11:38 UTC
tmz will push it into EPEL as soon at (1) this issue is closed (2) 2.7.3 comes out, so you can regard it as a beta-version, but I do not insist :-) Just appreciate help in making sure that this won't have to be re-opened again for 2.7.1 and 2.7.3.

Comment 21 Todd Zullinger 2011-08-10 07:37:31 UTC
I don't have plans to push 2.7.x to EPEL anytime soon.  AFAIK, it contains incompatible changes from 2.6.x.  And we don't even have 2.6.x in stable yet.  I'm not thrilled about the prospect of pushing an(other) update that might cause folks more work.  Historically, major updates have taken a while to work out the kinks.  We didn't even start testing 2.6.x in epel-testing until 2.6.6.  (Sadly, 2.6.x is not going to be maintained much longer upstream, so we may have to move to 2.7.x at some point.)

Comment 22 Yury V. Zaytsev 2011-08-10 07:58:29 UTC
Oh, I'm sorry for the delusion, then I misinterpreted your statement on the IRC regarding the SELinux issues with 2.7.x; I was thinking that this is the only thing that prevents you from putting 2.7.1 to test.

Re: 2.6.x, not that I am happy about it, but it's already almost dropped AFAIK, just one core thing that is broken that I ran into were anonymous arrays and this is not going to be fixed. Ruby-style, be always at the bleeding edge...

So in terms of time investment, 2.7.x after 2.7.3 comes out might be a better idea, at least you have 2.7.x life span ahead of you and can hope for some client / server compatibility... :-)

Comment 23 Miroslav Grepl 2011-08-10 15:14:22 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 25 Jonathan Underwood 2011-08-22 16:24:43 UTC
In order to get puppetmaster to work with SElinux enabled I had to use the following local module. This contains things not currently allowed by the shipped policy sopecifically relating to having cobbler automatically call puppetca to sign certificate requests as machines are installed.



module puppetlocal 1.0;

require {
       type puppetmaster_t;
       type puppet_var_lib_t;
       type cobblerd_t;
       type httpd_sys_content_t;
       type node_t;
       type sysfs_t;
       type port_t;
       type cert_t;
       class dir { remove_name search };
       class udp_socket { name_bind node_bind };
       class file { create setattr };
}

#============= cobblerd_t ==============
#!!!! This avc is allowed in the current policy

allow cobblerd_t cert_t:dir search;
#!!!! This avc is allowed in the current policy

allow cobblerd_t httpd_sys_content_t:dir remove_name;
#!!!! This avc is allowed in the current policy

allow cobblerd_t httpd_sys_content_t:file { create setattr };
#!!!! This avc is allowed in the current policy

allow cobblerd_t puppet_var_lib_t:dir search;
#!!!! This avc is allowed in the current policy

allow cobblerd_t sysfs_t:dir search;

#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;

Comment 26 Todd Zullinger 2011-08-22 16:42:08 UTC
*** Bug 732486 has been marked as a duplicate of this bug. ***

Comment 27 Todd Zullinger 2011-08-22 16:45:27 UTC
These issues should be resolved in selinux-policy-3.7.19-107.el6, whenever that
is shipped.  You can test it now using Dan Walsh's repository at:

http://people.redhat.com/dwalsh/SELinux/RHEL6/

Comment 28 Todd Zullinger 2011-09-12 13:41:26 UTC
Is there any idea when these packages will make it to RHEL updates?  I'm considering pushing puppet packages to epel-stable and just noting that users running SELinux in enforcing mode -- which are likely a minority among puppet users, based on how long the packages were in testing before anyone noticed the issues -- grab updated packages from Dan's repo or set SELinux to permissive.  Obviously, I'd prefer not to do that, but it's not worth waiting another month over.

Thanks to anyone that can provide some details on the update plan for selinux-policy.

Comment 29 Yury V. Zaytsev 2011-09-12 14:02:54 UTC
Yup, 2.7.3 is out of the door already, 2.7.4 is cooking, but even 2.6.x is not working properly ATM, which is a bummer...

Comment 30 Daniel Walsh 2011-09-12 19:17:03 UTC
selinux-policy-3.7.19-110.el6 is out on 

http://people.redhat.com/dwalsh/SELinux/RHEL6/

This will be in the 6.2 update scheduled for Later this year.

Comment 31 Milos Malik 2011-10-06 14:05:50 UTC
My automated test succeeded on machine where following packages (available at http://rpm.zaytsev.net/test/puppet/) were installed:

  puppet-2.7.4-1.el6.zyv.noarch
  puppet-server-2.7.4-1.el6.zyv.noarch

and also succeeded on machine where following packages (currently available in EPEL) were installed:

  puppet-2.6.6-1.el6.noarch
  puppet-server-2.6.6-1.el6.noarch

Comment 32 Milos Malik 2011-10-06 14:08:37 UTC
Following policy packages were installed on those machines:
selinux-policy-minimum-3.7.19-114.el6.noarch
selinux-policy-targeted-3.7.19-114.el6.noarch
selinux-policy-mls-3.7.19-114.el6.noarch
selinux-policy-3.7.19-114.el6.noarch
selinux-policy-doc-3.7.19-114.el6.noarch

Comment 36 Miroslav Grepl 2011-10-18 16:48:27 UTC
Fixed in selinux-policy-targeted-3.7.19-118.el6.noarch

 sesearch -A -s puppetmaster_t -t puppet_etc_t -c file -p relabelto
Found 1 semantic av rules:
   allow puppetmaster_t configfile : file { ioctl read getattr lock relabelfrom relabelto open } ;

Comment 39 errata-xmlrpc 2011-12-06 10:08:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.