769686 – Various puppet selinux denials

Bug 769686 - Various puppet selinux denials

Summary: Various puppet selinux denials

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-21 18:10 UTC by Orion Poplawski
Modified:	2013-11-04 13:09 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-04 13:09:29 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Orion Poplawski 2011-12-21 18:10:48 UTC

Description of problem:

Seeing the following in enforcing:

Dec 21 18:08:10 vmrawhide puppet-agent[5796]: Starting Puppet client version 2.6.12
Dec 21 18:08:11 vmrawhide kernel: [48384.744153] type=1400 audit(1324490891.246:67): avc:  denied  { execute } for  pid=5807 comm="sh" name="dmidecode" dev=vda2 ino=801405 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
Dec 21 18:08:11 vmrawhide kernel: [48384.744308] type=1400 audit(1324490891.246:68): avc:  denied  { execute_no_trans } for  pid=5807 comm="sh" path="/usr/sbin/dmidecode" dev=vda2 ino=801405 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=file
Dec 21 18:08:11 vmrawhide kernel: [48384.758756] type=1400 audit(1324490891.260:69): avc:  denied  { read } for  pid=5807 comm="dmidecode" name="mem" dev=devtmpfs ino=4440 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
Dec 21 18:08:11 vmrawhide kernel: [48384.758837] type=1400 audit(1324490891.260:70): avc:  denied  { open } for  pid=5807 comm="dmidecode" name="mem" dev=devtmpfs ino=4440 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file
Dec 21 18:08:11 vmrawhide kernel: [48384.758913] type=1400 audit(1324490891.260:71): avc:  denied  { sys_rawio } for  pid=5807 comm="dmidecode" capability=17  scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=capability
Dec 21 18:08:11 vmrawhide kernel: [48385.218735] type=1400 audit(1324490891.720:72): avc:  denied  { read } for  pid=5819 comm="arp" name="arp" dev=proc ino=4026531980 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 21 18:08:11 vmrawhide kernel: [48385.218815] type=1400 audit(1324490891.720:73): avc:  denied  { open } for  pid=5819 comm="arp" name="arp" dev=proc ino=4026531980 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 21 18:08:11 vmrawhide kernel: [48385.218941] type=1400 audit(1324490891.720:74): avc:  denied  { getattr } for  pid=5819 comm="arp" path="/proc/5819/net/arp" dev=proc ino=4026531980 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 21 18:08:17 vmrawhide kernel: [48390.712168] type=1400 audit(1324490897.214:75): avc:  denied  { getattr } for  pid=5796 comm="puppetd" path="/root/.bashrc" dev=vda2 ino=1067197 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Dec 21 18:08:17 vmrawhide kernel: [48391.367521] type=1400 audit(1324490897.869:76): avc:  denied  { execute_no_trans } for  pid=5934 comm="sh" path="/usr/bin/crontab" dev=vda2 ino=786795 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=file
Dec 21 18:08:17 vmrawhide kernel: [48391.402304] type=1400 audit(1324490897.904:77): avc:  denied  { getattr } for  pid=5934 comm="crontab" path="/var/spool/cron" dev=vda2 ino=656294 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:user_cron_spool_t:s0 tclass=dir
Dec 21 18:08:18 vmrawhide kernel: [48391.596558] type=1400 audit(1324490898.098:78): avc:  denied  { execute } for  pid=5935 comm="crontab" name="unix_chkpwd" dev=vda2 ino=282268 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Dec 21 18:08:18 vmrawhide kernel: [48391.596886] type=1400 audit(1324490898.098:79): avc:  denied  { execute_no_trans } for  pid=5935 comm="crontab" path="/sbin/unix_chkpwd" dev=vda2 ino=282268 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
Dec 21 18:08:18 vmrawhide kernel: [48391.617953] type=1400 audit(1324490898.119:80): avc:  denied  { read } for  pid=5935 comm="unix_chkpwd" name="shadow" dev=vda2 ino=926307 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Dec 21 18:08:18 vmrawhide kernel: [48391.618065] type=1400 audit(1324490898.119:81): avc:  denied  { open } for  pid=5935 comm="unix_chkpwd" name="shadow" dev=vda2 ino=926307 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Dec 21 18:08:18 vmrawhide kernel: [48391.618604] type=1400 audit(1324490898.120:82): avc:  denied  { getattr } for  pid=5935 comm="unix_chkpwd" path="/etc/shadow" dev=vda2 ino=926307 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Dec 21 18:08:18 vmrawhide kernel: [48391.630812] type=1400 audit(1324490898.132:83): avc:  denied  { create } for  pid=5934 comm="crontab" scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=netlink_audit_socket
Dec 21 18:08:18 vmrawhide kernel: [48391.631917] type=1400 audit(1324490898.133:84): avc:  denied  { nlmsg_relay } for  pid=5934 comm="crontab" scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:system_r:puppet_t:s0 tclass=netlink_audit_socket
Dec 21 18:08:32 vmrawhide kernel: [48406.437719] type=1400 audit(1324490912.939:89): avc:  denied  { execute } for  pid=6005 comm="sh" name="systemctl" dev=vda2 ino=1059765 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
Dec 21 18:08:32 vmrawhide kernel: [48406.437881] type=1400 audit(1324490912.939:90): avc:  denied  { execute_no_trans } for  pid=6005 comm="sh" path="/bin/systemctl" dev=vda2 ino=1059765 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file
Dec 21 18:08:33 vmrawhide kernel: [48406.628758] type=1400 audit(1324490913.130:91): avc:  denied  { read } for  pid=5796 comm="puppetd" name=".bashrc" dev=vda2 ino=1067197 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Dec 21 18:08:33 vmrawhide kernel: [48406.628883] type=1400 audit(1324490913.130:92): avc:  denied  { open } for  pid=5796 comm="puppetd" name=".bashrc" dev=vda2 ino=1067197 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
Dec 21 18:08:34 vmrawhide kernel: [48407.649034] type=1400 audit(1324490914.150:93): avc:  denied  { connectto } for  pid=6055 comm="systemctl" path="/run/systemd/private" scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
Dec 21 18:08:34 vmrawhide kernel: [48407.814552] type=1400 audit(1324490914.316:94): avc:  denied  { getattr } for  pid=6063 comm="systemctl" path="/run/systemd" dev=tmpfs ino=8899 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Dec 21 18:08:34 vmrawhide kernel: [48407.814710] type=1400 audit(1324490914.316:95): avc:  denied  { getattr } for  pid=6063 comm="systemctl" path="/etc/systemd/system" dev=vda2 ino=924200 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir
Dec 21 18:08:34 vmrawhide kernel: [48407.815578] type=1400 audit(1324490914.317:96): avc:  denied  { read } for  pid=6063 comm="systemctl" name="system" dev=tmpfs ino=8900 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Dec 21 18:08:34 vmrawhide kernel: [48407.815655] type=1400 audit(1324490914.317:97): avc:  denied  { open } for  pid=6063 comm="systemctl" name="system" dev=tmpfs ino=8900 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir
Dec 21 18:08:34 vmrawhide kernel: [48407.815794] type=1400 audit(1324490914.317:98): avc:  denied  { read } for  pid=6063 comm="systemctl" name="system" dev=vda2 ino=924200 scontext=system_u:system_r:puppet_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=dir
Dec 21 18:08:36 vmrawhide puppet-agent[5796]: Finished catalog run in 18.72 seconds

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-69.fc17.noarch

puppet_manage_all_files --> off

Not sure if this needs to be on for some of these.

Comment 1 Daniel Walsh 2011-12-21 19:25:36 UTC

Orion Puppet in Rawhide is permissive mode. So these are AVC's that in a released product would work because puppet would be confined.  

One idea we have been having would be to build a tool that could take puppet policy and allow an admin to state what puppet is expected to manage.

What services would you managing with puppet?

Comment 2 Orion Poplawski 2011-12-21 21:01:18 UTC

Not sure I completely follow, but...

Some these like dmidecode and arp come from puppet using facter.

crontab probably comes from using the cron {} puppet type.

I distribute a custom /root/.bashrc via puppet.

I currently only use the service type with yum-cron, sendmail, and sm-client at the moment.

A tool to build policy sounds interesting, but complicated.

Comment 3 Daniel Walsh 2011-12-22 15:50:07 UTC

The problem we are trying to solve, is unconfined management domains like puppet, or cfengine etc, can not be confined in general, because you can pretty much do anything you want a computer.  We have been talking about using the SERVICE_admin() interfaces within the policy and listing them to a user who wanted to confine.  

In the worse case we would want to analyze an AVC and look at the types that puppet_t wanted to manage and pick an appropriate SERVICE_admin()

A better case would be to run a command that says

selinux puppet -w /usr/sbin/httpd
and have it write a policy like

httpd_admin(puppet_t)

Comment 4 Daniel Walsh 2012-12-17 20:07:43 UTC

Miroslav, what do you think of extending sepolicy generate for this case.

sepolicy generate --manage -s puppet_t -d httpd -d postgresql -d mysql

Would generate a policy like.

policy_module(pupped_t_manage, 1.0)
gen_require(`
 type puppet_t;
')
httpd_admin(puppet_t)
mysql_admin(puppet_t)
postgresql_admin(puppet_t)

Comment 5 Miroslav Grepl 2012-12-18 13:56:18 UTC

Sounds really good.

Comment 6 Fedora End Of Life 2013-04-03 14:41:40 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 7 Sam Kottler 2013-11-01 22:09:20 UTC

Where does this stand? I'm the puppet maintainer and I'm willing to help make changes to the policy if you all are too busy to work on it.

Comment 8 Miroslav Grepl 2013-11-04 13:09:29 UTC

We have

$ sepolicy generate --customize -d puppet_t -a apache -n puppet_manage

Note You need to log in before you can comment on or make changes to this bug.