Created attachment 555076 [details] aeolus-configserver-setup output Description of problem: Error encountered while running aeolus-configserver-setup which appears to be caused by SELinux policy on RHEL6.2. Version-Release number of selected component (if applicable): * aeolus-configserver-0.4.5-1.el6.noarch How reproducible: * FAIL - RHEL6.2 with SELinux enforcing * PASS - RHEL6.2 with SELinux permissive * PASS - RHEL6.1 with SELinux enforcing Steps to Reproduce: 1. Install a 6.2 system, accepting all installation defaults 2. Install aeolus-configserver 3. Rung aeolus-configserver-setup Actual results: * See attached log for complete output err: /Stage[main]/Apache::Ssl/Exec[pk-gen]/returns: change from notrun to 0 failed: /usr/bin/ssh-keygen -t rsa -f /etc/pki/tls/private/config-server.key -N '' returned 1 instead of one of [0] at /usr/share/aeolus-configserver/configure/puppet/modules/apache/manifests/init.pp:65 notice: /Stage[main]/Apache::Ssl/Exec[sign-request]: Dependency Exec[pk-gen] has failures: true Expected results: No error reported while creating ssh-key during aeolus-configserver-serup Additional info: * /var/log/audit/audit.log type=AVC msg=audit(1326463911.366:15278): avc: denied { write } for pid=1835 comm="ssh-keygen" name="private" dev=xvde1 ino=138566 scontext=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=SYSCALL msg=audit(1326463911.366:15278): arch=c000003e syscall=2 success=no exit=-13 a0=7f31dcef0b80 a1=241 a2=180 a3=ffffffea items=0 ppid=1802 pid=1835 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="ssh-keygen" exe="/usr/bin/ssh-keygen" subj=unconfined_u:unconfined_r:ssh_keygen_t:s0-s0:c0.c1023 key=(null)
audit2allow reports ... #============= ssh_keygen_t ============== #!!!! The source type 'ssh_keygen_t' can write to a 'dir' of the following types: # user_home_dir_t, etc_t, ssh_home_t, admin_home_t allow ssh_keygen_t cert_t:dir write;
[root@ip-10-245-82-219 ~]# sealert -a /var/log/audit/audit.log 100% donefound 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/bin/ssh-keygen from write access on the directory private. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ssh-keygen should be allowed write access on the private directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ssh-keygen /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
I've tested a fix that involves the following puppet code: ******************** $pk_gen_file="/etc/config-server.key" $pk_file="/etc/pki/tls/private/config-server.key" $cert_file="/etc/pki/tls/config-server.crt" exec { "pk-file": command => "/usr/bin/ssh-keygen -t rsa -f ${pk_gen_file} -N '' && /bin/mv ${pk_gen_file} ${pk_file}", creates => "$pk_gen_file", require => Package["mod_ssl"], notify => Exec["graceful-apache"], } exec { "sign-request": command => "/usr/bin/openssl req -batch -new -key ${pk_file} -out /etc/pki/tls/config-server.csr", creates => "/etc/pki/tls/config-server.csr", require => Notify["pk-file"], } exec { "cert": command => "/usr/bin/openssl x509 -req -days 365 -in /etc/pki/tls/config-server.csr -signkey ${pk_file} -out ${cert_file}", creates => "$cert_file", require => Exec["sign-request"], notify => Exec["graceful-apache"], } ******************** This generates the pk in /etc (one of the various places that ssh-keygen is allowed to write). Then, moves the generated file to /etc/pki/tls/private. Then, uses openssl to generate the cert sign request and the cert.
Based on irc conversation with dwalsh, we learned two things: 1) ssh-keygen will run unconfined in rhel6.3 2) we can use runcon -t unconfined_t to run the ssh-keygen command unconfined in rhel6.2 I'll update the puppet scripts to do this: selinuxenabled && runcon -t unconfined_t /usr/bin/ssh-keygen -t rsa -f /etc/pki/tls/private/config-server.key -N ''
https://fedorahosted.org/pipermail/aeolus-devel/2012-January/008099.html
https://github.com/aeolusproject/audrey/commit/7ae4e5988046846d4750839b1c548ac4993e671a
in aeolus-configserver-0.4.5-2.el6.noarch
[root@deaddonkey ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.2 (Santiago) [root@deaddonkey ~]# rpm -q aeolus-configserver aeolus-configserver-0.4.5-2.el6.noarch [root@deaddonkey ~]# aeolus-configserver-setup This script will help you configure Apache as a proxy for a Config Server. Typically this is only useful if you are not familiar with Apache configurations and modules, specifically with mod_proxy, mod_auth_basic, and mod_ssl. Also, this configuration tool assumes that you are not currently running Apache for any purposes on this server. This configuration tool will create a Named Virtual Host for *:443. If this server is currently using Apache to serve secure pages on port 443, then this tool should not be used. Do you wish to continue [y/N]: y Please provide the web application URL where the Config Server is currently running on this server. If the Config Server was installed from an RPM, then this will typically be: http://localhost:4567/ The provided URL should be a fully qualified URL, providing the scheme, hostname, and port: http://HOSTNAME:PORT/ Enter the application URL [http://localhost:4567/]: Root context: / App URL: http://localhost:4567/ Conductor Auth Key: 835407610389578725172527 Conductor Auth Secret: O4RZ37CFqQC11Vx4nuV9bszJ4kjmBzljria30JPKHwLnnNsD \n\n*** You need to add this config server information to a *** *** provider account in conductor. *** running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.23xMgaZ6Pf --node_terminus exec notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events notice: /File[/var/lib/aeolus-configserver/configs/oauth/835407610389578725172527]/ensure: defined content as '{md5}1245366d917b4ad7d5c9c9b2b80838c4' notice: Finished catalog run in 48.95 seconds