Bug 781459 - SELinux AVC causes ssh-keygen to fail during aeolus-configserver-setup
Summary: SELinux AVC causes ssh-keygen to fail during aeolus-configserver-setup
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-configserver
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
Assignee: Greg Blomquist
QA Contact: dgao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-13 14:21 UTC by James Laska
Modified: 2013-09-02 06:59 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)
aeolus-configserver-setup output (3.17 KB, text/plain)
2012-01-13 14:21 UTC, James Laska
no flags Details

Description James Laska 2012-01-13 14:21:32 UTC
Created attachment 555076 [details]
aeolus-configserver-setup output

Description of problem:

Error encountered while running aeolus-configserver-setup which appears to be caused by SELinux policy on RHEL6.2.

Version-Release number of selected component (if applicable):
 * aeolus-configserver-0.4.5-1.el6.noarch

How reproducible:
 * FAIL - RHEL6.2 with SELinux enforcing
 * PASS - RHEL6.2 with SELinux permissive
 * PASS - RHEL6.1 with SELinux enforcing

Steps to Reproduce:
1. Install a 6.2 system, accepting all installation defaults
2. Install  aeolus-configserver
3. Rung aeolus-configserver-setup

  
Actual results:

 * See attached log for complete output

err: /Stage[main]/Apache::Ssl/Exec[pk-gen]/returns: change from notrun to 0 failed: /usr/bin/ssh-keygen -t rsa -f /etc/pki/tls/private/config-server.key -N '' returned 1 instead of one of [0] at /usr/share/aeolus-configserver/configure/puppet/modules/apache/manifests/init.pp:65
notice: /Stage[main]/Apache::Ssl/Exec[sign-request]: Dependency Exec[pk-gen] has failures: true

Expected results:

No error reported while creating ssh-key during aeolus-configserver-serup

Additional info:

 * /var/log/audit/audit.log

type=AVC msg=audit(1326463911.366:15278): avc:  denied  { write } for  pid=1835 comm="ssh-keygen" name="private" dev=xvde1 ino=138566 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1326463911.366:15278): arch=c000003e syscall=2 success=no exit=-13 a0=7f31dcef0b80 a1=241 a2=180 a3=ffffffea items=0 ppid=1802 pid=1835 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)

Comment 1 James Laska 2012-01-13 14:23:06 UTC
audit2allow reports ...

#============= ssh_keygen_t ==============
#!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types:
# user_home_dir_t, etc_t, ssh_home_t, admin_home_t

allow ssh_keygen_t cert_t:dir write;

Comment 2 dgao 2012-01-13 14:43:52 UTC
[root@ip-10-245-82-219 ~]# sealert -a /var/log/audit/audit.log 
100% donefound 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/ssh-keygen from write access on the directory private.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ssh-keygen should be allowed write access on the private directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ssh-keygen /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 3 Greg Blomquist 2012-01-13 17:02:33 UTC
I've tested a fix that involves the following puppet code:

********************
$pk_gen_file="/etc/config-server.key"
$pk_file="/etc/pki/tls/private/config-server.key"
$cert_file="/etc/pki/tls/config-server.crt"
exec { "pk-file":
      command => "/usr/bin/ssh-keygen -t rsa -f ${pk_gen_file} -N '' && /bin/mv ${pk_gen_file} ${pk_file}",
      creates => "$pk_gen_file",
      require => Package["mod_ssl"],
      notify => Exec["graceful-apache"],
}

exec { "sign-request":
      command => "/usr/bin/openssl req -batch -new -key ${pk_file} -out /etc/pki/tls/config-server.csr",
      creates => "/etc/pki/tls/config-server.csr",
      require => Notify["pk-file"],
}

exec { "cert":
      command => "/usr/bin/openssl x509 -req -days 365 -in /etc/pki/tls/config-server.csr -signkey ${pk_file} -out ${cert_file}",
      creates => "$cert_file",
      require => Exec["sign-request"],
      notify => Exec["graceful-apache"],
}
********************

This generates the pk in /etc (one of the various places that ssh-keygen is allowed to write).  Then, moves the generated file to /etc/pki/tls/private.  Then, uses openssl to generate the cert sign request and the cert.

Comment 4 Greg Blomquist 2012-01-13 19:04:16 UTC
Based on irc conversation with dwalsh, we learned two things:

1)  ssh-keygen will run unconfined in rhel6.3
2)  we can use runcon -t unconfined_t to run the ssh-keygen command unconfined in rhel6.2

I'll update the puppet scripts to do this:

selinuxenabled && runcon -t unconfined_t /usr/bin/ssh-keygen -t rsa -f /etc/pki/tls/private/config-server.key -N ''

Comment 7 Greg Blomquist 2012-01-18 20:33:22 UTC
in aeolus-configserver-0.4.5-2.el6.noarch

Comment 8 dgao 2012-01-18 20:35:31 UTC
[root@deaddonkey ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 (Santiago)
[root@deaddonkey ~]# rpm -q aeolus-configserver
aeolus-configserver-0.4.5-2.el6.noarch
[root@deaddonkey ~]# aeolus-configserver-setup 

This script will help you configure Apache as a proxy for a Config Server.
Typically this is only useful if you are not familiar with Apache
configurations and modules, specifically with mod_proxy, mod_auth_basic, and
mod_ssl.

Also, this configuration tool assumes that you are not currently running Apache
for any purposes on this server.  This configuration tool will create a Named
Virtual Host for *:443.  If this server is currently using Apache to serve
secure pages on port 443, then this tool should not be used.


Do you wish to continue [y/N]: y


Please provide the web application URL where the Config Server is currently
running on this server.  If the Config Server was installed from an RPM, then
this will typically be:

  http://localhost:4567/

The provided URL should be a fully qualified URL, providing the scheme,
hostname, and port:  http://HOSTNAME:PORT/


Enter the application URL [http://localhost:4567/]: 
Root context: /
App URL: http://localhost:4567/
Conductor Auth Key: 835407610389578725172527
Conductor Auth Secret: O4RZ37CFqQC11Vx4nuV9bszJ4kjmBzljria30JPKHwLnnNsD
\n\n*** You need to add this config server information to a ***
*** provider account in conductor.                      ***
running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.23xMgaZ6Pf --node_terminus exec
notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully
notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events
notice: /File[/var/lib/aeolus-configserver/configs/oauth/835407610389578725172527]/ensure: defined content as '{md5}1245366d917b4ad7d5c9c9b2b80838c4'
notice: Finished catalog run in 48.95 seconds


Note You need to log in before you can comment on or make changes to this bug.