libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.2-4.fc17.i686 time: Qua 20 Jun 2012 01:50:33 BRT description: :SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configserver.log. : :***** Plugin catchall (100. confidence) suggests *************************** : :If você acredita que o ruby deva ser permitido acesso de open em configserver.log file por default. :Then você precisa reportar este como um erro. :Você pode gerar um módulo de política local para permitir este acesso. :Do :permitir este acesso agora executando: :# grep thin /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:thin_t:s0 :Target Context system_u:object_r:var_log_t:s0 :Target Objects configserver.log [ file ] :Source thin :Source Path /usr/bin/ruby :Port <Desconhecido> :Host (removed) :Source RPM Packages ruby-1.9.3.194-11.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-130.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.2-4.fc17.i686 #1 SMP Thu Jun : 14 22:19:00 UTC 2012 i686 i686 :Alert Count 2 :First Seen Qua 20 Jun 2012 01:42:34 BRT :Last Seen Qua 20 Jun 2012 01:42:45 BRT :Local ID c0272eb2-e8db-458f-b465-be2989f9d0d1 : :Raw Audit Messages :type=AVC msg=audit(1340167365.366:78): avc: denied { open } for pid=997 comm="thin" name="configserver.log" dev="dm-1" ino=1314627 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file : : :type=SYSCALL msg=audit(1340167365.366:78): arch=i386 syscall=open success=no exit=EACCES a0=9dd21e0 a1=8441 a2=1b6 a3=0 items=0 ppid=1 pid=997 auid=4294967295 uid=180 gid=180 euid=180 suid=180 fsuid=180 egid=180 sgid=180 fsgid=180 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null) : :Hash: thin,thin_t,var_log_t,file,open : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
configserver.log looks like it is mislabeled. Where is configserver.log located and which process owns it? thin?
This is caused by aeolus-configserver service. Basically it used "thin". And this is a reason why we will need to change a way how to confine it. Basically we came up with a solution for tomcat or paster. We have now thin_exec_t for /usr/bin/thin. This means if thin is used for a service, this service will run as thin_t. So we could do "thin_domain_template()" (as we have for tomcat now in F18) which will create thin_aeolus_configserver_t domain and thin_aeolus_configserver_exec_t label for executable. And this thin_aeolus_configserver_exec_t needs to be added for a script which will do /usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \ -P $THIN_PID -a $THIN_IP -e $RACK_ENV \ --user $AEOLUS_USER --group $AEOLUS_GROUP \ -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT
After a quick chat with Miroslav and Dan on IRC, I believe this amounts to simply updating the aeolus-configserver.service file (https://github.com/aeolusproject/audrey/blob/master/configserver/conf/aeolus-configserver.service), replacing "ExecStart=/usr/bin/thin ..." with "ExecStart=/usr/bin/thinStarter" Where "/usr/bin/thinStarter" is a script that calls exactly what's in ExecStart today: /usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \ -P $THIN_PID -a $THIN_IP -e $RACK_ENV \ --user $AEOLUS_USER --group $AEOLUS_GROUP \ -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT Dan and Miroslav, if I got any of this wrong, please feel free to chime in with any corrections. And, thanks for the help in IRC!
Great. I am just adding fixes to rawhide and then I am going to backport it to F17 and build a new scratch build for testing.
Greg, could you test it with http://koji.fedoraproject.org/koji/taskinfo?taskID=4196484
Miroslav, absolutely! Thanks for putting that together. I'll try to get this tested today.
Miroslav, I updated the config server to use a separate script to kick off thin. This is the way it works now: - systemd (ExecStart) -> /usr/bin/aeolus-configserver-thinwrapper - aeolus-configserver-thinwrapper -> thin Before upgrading with your selinux patch, I was able to see the reported error. After upgrading with your patch, the config server works as expected (i.e., no errors visible to the user). But, I see several sealerts in /var/log/messages. I'm including two of the sealerts inline here. I can add the rest as attachments. *-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-* WARNING: Policy would be downgraded from version 27 to 26. ** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags' WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. SELinux is preventing /usr/bin/ruby from create access on the directory aeolus-configserver. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ruby should be allowed create access on the aeolus-configserver directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep thin /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:thin_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects aeolus-configserver [ dir ] Source thin Source Path /usr/bin/ruby Port <Unknown> Host dhcp-230-180.rdu.redhat.com Source RPM Packages ruby-1.9.3.194-13.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-133.fc17.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dhcp-230-180.rdu.redhat.com Platform Linux dhcp-230-180.rdu.redhat.com 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Mon 02 Jul 2012 11:31:01 AM EDT Last Seen Mon 02 Jul 2012 01:04:27 PM EDT Local ID 3aa91f6c-3bce-4705-bd90-a2d2235da108 Raw Audit Messages type=AVC msg=audit(1341248667.636:49): avc: denied { create } for pid=760 comm="thin" name="aeolus-configserver" scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1341248667.636:49): arch=x86_64 syscall=mkdir success=yes exit=0 a0=d8f8b0 a1=1ff a2=0 a3=0 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null) Hash: thin,thin_t,var_run_t,dir,create audit2allow #============= thin_t ============== allow thin_t var_run_t:dir create; audit2allow -R #============= thin_t ============== allow thin_t var_run_t:dir create; *-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-* *-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-* WARNING: Policy would be downgraded from version 27 to 26. ** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags' ** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags' WARNING: Policy would be downgraded from version 27 to 26. WARNING: Policy would be downgraded from version 27 to 26. SELinux is preventing /usr/bin/ruby from getattr access on the directory /var/log/aeolus-configserver. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that ruby should be allowed getattr access on the aeolus-configserver directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep thin /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:thin_t:s0 Target Context system_u:object_r:thin_aeolus_configserver_log_t:s 0 Target Objects /var/log/aeolus-configserver [ dir ] Source thin Source Path /usr/bin/ruby Port <Unknown> Host dhcp-230-180.rdu.redhat.com Source RPM Packages ruby-1.9.3.194-13.fc17.x86_64 Target RPM Packages aeolus-configserver-0.5.0-0.fc17.20120629211041git f92ebde.noarch Policy RPM selinux-policy-3.10.0-133.fc17.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name dhcp-230-180.rdu.redhat.com Platform Linux dhcp-230-180.rdu.redhat.com 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen Mon 02 Jul 2012 01:04:27 PM EDT Last Seen Mon 02 Jul 2012 01:04:27 PM EDT Local ID 1f0ced86-4c5e-4934-93af-0841d8269829 Raw Audit Messages type=AVC msg=audit(1341248667.637:50): avc: denied { getattr } for pid=760 comm="thin" path="/var/log/aeolus-configserver" dev="dm-1" ino=37415 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:thin_aeolus_configserver_log_t:s0 tclass=dir type=SYSCALL msg=audit(1341248667.637:50): arch=x86_64 syscall=stat success=yes exit=0 a0=f1d8a0 a1=7fff911b7800 a2=7fff911b7800 a3=321052f940 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null) Hash: thin,thin_t,thin_aeolus_configserver_log_t,dir,getattr audit2allow #============= thin_t ============== allow thin_t thin_aeolus_configserver_log_t:dir getattr; audit2allow -R #============= thin_t ============== allow thin_t thin_aeolus_configserver_log_t:dir getattr; *-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-* Altogether, I found 9 separate sealerts. Two directories with several alerts, one network operation, and one signal access. - /var/log/aeolus-configserver * create (inlined above) * dir getattr (inlined above) * search * file open - /var/lib/aeolus-configserver/configs * dir getattr * file getattr * file read open - SELinux is preventing /usr/bin/ruby from name_bind access on the tcp_socket . * port 4567 (the alert here instructs to do: # semanage port -a -t PORT_TYPE -p tcp 4567 where PORT_TYPE is one of the following: ntop_port_t.) - SELinux is preventing /usr/bin/ruby from using the signal access on a process. Like I said above though, the config server is operating. There are no errors presented to the user. There's nothing indicating that the application is unable to perform certain operations. So, I'm a little baffled at the number of sealerts that showed up. Hope this helps a little.
Well the problem is the policy has labeling for /usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0) instead of /usr/bin/aeolus-configserver-thinwrapper So you need to execute # chcon -t thin_aeolus_configserver_exec_t /usr/bin/aeolus-configserver-thinwrapper and then re-test it. We don't want to have it in the thin_t domain.
D'oh! Sorry, I renamed it to be something more context-specific.
After upgrade selinux-policy and changing the security context of aeolus-configserver-thinwrapper to thin_aeolus_configserver_exec_t I get the following in /var/log/messages: Jul 5 11:56:21 dhcp231-56 aeolus-configserver-thinwrapper[1951]: /bin/bash: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied Jul 5 11:56:21 dhcp231-56 systemd[1]: aeolus-configserver.service: main process exited, code=exited, status=127 Any clues?
# setenforce 0 # ausearch -m avc -ts recent
# ausearch -m avc -ts this-month ---- time->Thu Jul 5 11:56:21 2012 type=SYSCALL msg=audit(1341503781.622:158): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=0 items=0 ppid=1 pid=1951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="aeolus-configse" exe="/usr/bin/bash" subj=system_u:system_r:thin_aeolus_configserver_t:s0 key=(null) type=AVC msg=audit(1341503781.622:158): avc: denied { read } for pid=1951 comm="aeolus-configse" path="/usr/bin/bash" dev="dm-1" ino=133227 scontext=system_u:system_r:thin_aeolus_configserver_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Ok, could you test it with selinux-policy-3.10.0-138.fc17
Will do
Added thinwrapper script. Updated systemd script to call thinwrapper instead of trying to start thin directly. git hash: 6916146283f4b82e30f6e3fa2ac373382b4ee16d (master)
aeolus-configserver-0.5.1-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/aeolus-configserver-0.5.1-1.fc18
Package aeolus-configserver-0.5.1-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing aeolus-configserver-0.5.1-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14375/aeolus-configserver-0.5.1-1.fc18 then log in and leave karma (feedback).
aeolus-configserver-0.5.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.