RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 727145 - /var/cfengine/output shouldn't be labelled as var_log_t
Summary: /var/cfengine/output shouldn't be labelled as var_log_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
urgent
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-01 12:29 UTC by David Hill
Modified: 2014-09-30 23:33 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.7.19-146.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 12:24:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Short sample of AVC audit logs... (4.27 KB, text/plain)
2011-08-01 13:07 UTC, David Hill 		no flags Details
selinux unconfined bug. (746 bytes, text/plain)
2011-08-01 13:09 UTC, David Hill 		no flags Details
cfengine initial policy (1.71 KB, application/x-compressed-tar)
2011-08-10 07:57 UTC, Miroslav Grepl 		no flags Details
Adding some file context. (1019 bytes, patch)
2011-08-10 14:09 UTC, David Hill 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0780 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2012-06-19 20:34:59 UTC

Description David Hill 2011-08-01 12:29:12 UTC 
Description of problem:
When trying to restart ntpd/httpd/nrpe/etc, these processes are using their confined domain to write to var_log_t or crond_log_t which is not allowed by default.  If we want to allow them to write to or var_log_t or crond_log_t, it opens the way to some people to clear up all systems logs ... Shouldn't cfengine be confined within the cfengine_outputs_t (which doesn't exist) instead?  Also, all processes should be able to write to cfengine_outputs_t ...

Version-Release number of selected component (if applicable):


How reproducible:
Simply install cfengine and enable selinux.

Steps to Reproduce:
1. Simply install cfengine and enable selinux.
2.
3.
  
Actual results:
1. In enforcing, system management breaks
2. In permissive, warnings are displayed

Expected results:
1. Should be working out of the box.

Additional info:
1. Not applicable.  This issues was present in RHEL 5.X but wasn't an issue since cfengine was running unconfined instead of running as cronjob_t.  This can be half solved by running cfengine unconfined BUT all confined processes are unable to write to var_log_t.
Comment 2 David Hill 2011-08-01 12:44:04 UTC 
PS: with previous versions of rhel 5.X we were able to bypass that by adding our own context which overrided the default selinux-policy context ... but with rhel 6.X, our custom module is failling to load.
Comment 3 Miroslav Grepl 2011-08-01 12:56:19 UTC 
Could you attach AVC msgs which you are getting?
Comment 4 David Hill 2011-08-01 13:07:09 UTC 
Created attachment 516133 [details]
Short sample of AVC audit logs...
Comment 5 David Hill 2011-08-01 13:09:24 UTC 
Also, if I follow the instruction from the RHEL 6.1 Secure Linux documentation and relabel the cfengine binaries to unconfined_t, everything breaks further.

Se attachment #2 [details] .
Comment 6 David Hill 2011-08-01 13:09:56 UTC 
Created attachment 516134 [details]
selinux unconfined bug.
Comment 7 David Hill 2011-08-01 15:50:52 UTC 
I have managed to relabel /var/cfengine/outputs with semanage, but I cannot override the context of /var/cfengine/outputs with my custom module.
Comment 8 Miroslav Grepl 2011-08-02 07:46:38 UTC 
(In reply to comment #5)
> Also, if I follow the instruction from the RHEL 6.1 Secure Linux documentation
> and relabel the cfengine binaries to unconfined_t, everything breaks further.
> 
> Se attachment #2 [details] .

Not sure which instruction you mean. "unconfined_t" is a domain type, you can not add this type for executable.

Basically we will need to add a basic confinement for cfengine but also this domain will end up as unconfined.

Could you attach some examples of your cfengine configuration?
Comment 9 David Hill 2011-08-02 14:08:52 UTC 
4.2 point 6

Ok that is my fault... I didn't use unconfined_exec_t ... ;) Sorry for the mistake.  It will work with the unconfined_exec_t but I will still have to try it.


"To make the httpd process run unconfined, run the following command as the Linux root user to
change the type of /usr/sbin/httpd, to a type that does not transition to a confined domain:
chcon -t unconfined_exec_t /usr/sbin/httpd
"


http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf

What do you mean my some examples of my cfengine configuration?  You want to see how we restart a service with cfengine?  

Here is a sample:
    (redhat_s_6||centos_6).reload_nrpe::
        "/sbin/service nrpe restart" useshell=false


My selinux policy:
policy_module(ubi_cfengine,0.0.11)

gen_require(`
        attribute domain;
')

########################################
#
# Declarations
#

type cfengine_output_t;
files_type(cfengine_output_t)

allow domain cfengine_output_t:dir rw_dir_perms;
allow domain cfengine_output_t:file manage_file_perms;


And my relabel of /var/cfengine/outputs/:

   (redhat_s_6||centos_6).(selinux_enforced||selinux_permissive).!has_semanage_cfengine_output_t::
        "/usr/sbin/semanage fcontext -a -t cfengine_output_t '/var/cfengine/outputs(/.*)?' > /dev/null 2>&1"


We need to boot the server in permissive at kickstart time, the first time cfengine runs, it will load the modules, put selinux in enforcing and reboot ... (the reboot is manual though).
Comment 10 Daniel Walsh 2011-08-02 14:17:21 UTC 
If you created a ubi_cgengine.fc file with the following

/var/cfengine/outputs(/.*)?               	gen_context(system_u:object_r:cfengine_output_t,s0)

Then run the restorecon you should be able to eliminate the semanage command.

Why are you changing the context of httpd to unconfined_exec_t?
Comment 11 David Hill 2011-08-02 14:22:42 UTC 
Nope, it compiles but it won't load ...  


[root@localhost devel]# semodule -i ubi_cfengine.pp
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/cfengine/outputs(/.*)?  (system_u:object_r:cfengine_output_t:s0 and system_u:object_r:var_log_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!


And no, I'm not trying to change the context of http to unconfined_exec_t ... I tried doing that to /usr/sbin/cf* (cfengine) ... 

I have another issue with that and bypassed it with MLS_CONTEXT=unconfined in the crontab because cfengine would run as crond_t and write output logs to crond_log_t ... which is not what we want...
Comment 12 David Hill 2011-08-02 14:23:54 UTC 
BTW, my cfengine module did have the file context included in rhel5.6/5.7 and it loaded even if it was already defined but it appears that this selinux policy in rhel 6.0/6.1 doesn't allow a redefinition.
Comment 13 Daniel Walsh 2011-08-02 19:29:31 UTC 
Ok so we defined a type for /var/cfengine/outputs and you want this to change.
Which would require a selinux-policy change or you to use semanage.
Comment 14 David Hill 2011-08-02 19:54:04 UTC 
Using var_log_t context for /var/cfengine/outputs is bad IMHO.  This is simply because if I want to restart nrpe with cfengine (for example) I will have to grand nrpe write permission to var_log_t ...

I would rather define another context with semanage for /var/cfengine/outputs and allow any process to write to that context with a custom selinux policy.

I've read a bit and some people are complaining about issues with selinux and cfengine.

I think this is the best solution and should be incorporated in the selinux-policy package but that's up to you.
Comment 15 Daniel Walsh 2011-08-02 20:43:20 UTC 
I am not sure what is being output to this directory, since I do not use cfengine.  Does cfengine create an output file in this directory and use this as stdout?
Comment 16 David Hill 2011-08-02 20:52:23 UTC 
That's exactly what it does!

When cfengine starts nrpe, it redirects nrpe init script output to /var/cfengine/outputs/cf_hostname_domainname_date_time_timestamp ...

It does the same with apache, mysql, mongodb, etc ...

So anything started via cfengine needs to be able to write output to /var/cfengine/outputs/cf_hostname_domainname_date_time_timestamp or else fails to start properly.
Comment 17 David Hill 2011-08-02 21:06:19 UTC 
And this will happen even if nrpe doesn't output anything.  If it can't open the file in write, it won't start the service.
Comment 18 Daniel Walsh 2011-08-03 19:48:16 UTC 
Can it set the output to be append rather then write?
Comment 19 Miroslav Grepl 2011-08-03 22:01:31 UTC 
(In reply to comment #9)
> 4.2 point 6
> 
> Ok that is my fault... I didn't use unconfined_exec_t ... ;) Sorry for the
> mistake.  It will work with the unconfined_exec_t but I will still have to try
> it.
> 
> 
> "To make the httpd process run unconfined, run the following command as the
> Linux root user to
> change the type of /usr/sbin/httpd, to a type that does not transition to a
> confined domain:
> chcon -t unconfined_exec_t /usr/sbin/httpd
> "
> 
> 
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security-Enhanced_Linux/Red_Hat_Enterprise_Linux-6-Security-Enhanced_Linux-en-US.pdf
> 
> What do you mean my some examples of my cfengine configuration?  You want to
> see how we restart a service with cfengine?  
> 
> Here is a sample:
>     (redhat_s_6||centos_6).reload_nrpe::
>         "/sbin/service nrpe restart" useshell=false

Ok, I will try to configure cfengine and test the cfengine policy which Dan added to Fedora and provide you for testing.
Comment 20 David Hill 2011-08-04 13:04:53 UTC 
@Daniel: Without touching the source code of cfengine I doubt it is possible since it's how cfengine handles the EXEC of a shell that is done like this.
Comment 21 Miroslav Grepl 2011-08-10 07:57:35 UTC 
Created attachment 517534 [details]
cfengine initial policy

tar xvf /tmp/cfengine.tgz
cd /tmp
sh cfengine.sh

chcon -R -t cfengine_var_lib_t /var/cfengine

echo "-w /etc/shadow -p wa" >> /etc/audit/audit.rules
service auditd restart

service cfengine restart

And start collecting AVC's
Comment 22 David Hill 2011-08-10 14:00:59 UTC 
Hello Miroslav,

    These are the files used in our version of cfengine :

[]$ ls /usr/sbin/cf* -latr
-rwxr-xr-x 1 root root   4176 Apr 16  2009 /usr/sbin/cfdoc
-rwxr-xr-x 1 root root 641735 Apr 16  2009 /usr/sbin/cfshow
-rwxr-xr-x 1 root root 668476 Apr 16  2009 /usr/sbin/cfservd
-rwxr-xr-x 1 root root 618640 Apr 16  2009 /usr/sbin/cfrun
-rwxr-xr-x 1 root root 602772 Apr 16  2009 /usr/sbin/cfkey
-rwxr-xr-x 1 root root 615122 Apr 16  2009 /usr/sbin/cfexecd
-rwxr-xr-x 1 root root  27884 Apr 16  2009 /usr/sbin/cfetoolgraph
-rwxr-xr-x 1 root root 203673 Apr 16  2009 /usr/sbin/cfetool
-rwxr-xr-x 1 root root 615955 Apr 16  2009 /usr/sbin/cfenvgraph
-rwxr-xr-x 1 root root 640662 Apr 16  2009 /usr/sbin/cfenvd
-rwxr-xr-x 1 root root 785766 Apr 16  2009 /usr/sbin/cfagent
Comment 23 David Hill 2011-08-10 14:09:51 UTC 
Created attachment 517620 [details]
Adding some file context.
Comment 24 David Hill 2011-08-10 14:13:26 UTC 
I've attached a patch to this bug.

I noticed that the line

#/var/cfengine(/.*)?                    gen_context(system_u:object_r:cfengine_var_lib_t,s0)

is commented in cfengine.fc ... the file context cfengine_var_lib_t is never generated.
Comment 25 Miroslav Grepl 2011-08-10 16:01:49 UTC 
Yes,
this is a reason why chcon is needed

# chcon -R -t cfengine_var_lib_t /var/cfengine

for testing. Labels will change to fengine_var_lib_t in this directory.
Comment 34 Miroslav Grepl 2012-04-03 09:19:30 UTC 
I added a lot of fixes for cfengine. Also I changed labeling for /var/cfengine/outputs from var_log to cfengine_var_log_t and allowed apps, services to append these files.

I am going to do a new build with fixes today.

David,
any chance you could test it then?
Comment 40 errata-xmlrpc 2012-06-20 12:24:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html
Note You need to log in before you can comment on or make changes to this bug.