Bug 833660 - SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configserver.log.
Summary: SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configse...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: aeolus-configserver
Version: 17
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Vlcek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:c22fef81d4fc6964cb9b398ca28...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-06-20 04:50 UTC by Armando
Modified: 2012-09-27 05:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-27 05:14:04 UTC


Attachments (Terms of Use)

Description Armando 2012-06-20 04:50:55 UTC
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.2-4.fc17.i686
time:           Qua 20 Jun 2012 01:50:33 BRT

description:
:SELinux is preventing /usr/bin/ruby from 'open' accesses on the file configserver.log.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o ruby deva ser permitido acesso de open em configserver.log file  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep thin /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:thin_t:s0
:Target Context                system_u:object_r:var_log_t:s0
:Target Objects                configserver.log [ file ]
:Source                        thin
:Source Path                   /usr/bin/ruby
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           ruby-1.9.3.194-11.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-130.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.2-4.fc17.i686 #1 SMP Thu Jun
:                              14 22:19:00 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    Qua 20 Jun 2012 01:42:34 BRT
:Last Seen                     Qua 20 Jun 2012 01:42:45 BRT
:Local ID                      c0272eb2-e8db-458f-b465-be2989f9d0d1
:
:Raw Audit Messages
:type=AVC msg=audit(1340167365.366:78): avc:  denied  { open } for  pid=997 comm="thin" name="configserver.log" dev="dm-1" ino=1314627 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1340167365.366:78): arch=i386 syscall=open success=no exit=EACCES a0=9dd21e0 a1=8441 a2=1b6 a3=0 items=0 ppid=1 pid=997 auid=4294967295 uid=180 gid=180 euid=180 suid=180 fsuid=180 egid=180 sgid=180 fsgid=180 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)
:
:Hash: thin,thin_t,var_log_t,file,open
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Daniel Walsh 2012-06-20 18:25:05 UTC
configserver.log looks like it is mislabeled.

Where is configserver.log located and which process owns it?  thin?

Comment 2 Miroslav Grepl 2012-06-22 07:52:07 UTC
This is caused by aeolus-configserver service. Basically it used "thin".

And this is a reason why we will need to change a way how to confine it. Basically we came up with a solution for tomcat or paster.

We have now thin_exec_t for /usr/bin/thin. This means if thin is used for a service, this service will run as thin_t. 

So we could do "thin_domain_template()" (as we have for tomcat now in F18) which will create thin_aeolus_configserver_t domain and thin_aeolus_configserver_exec_t label for executable.

And this thin_aeolus_configserver_exec_t needs to be added for a script which will do

/usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \
  -P $THIN_PID -a $THIN_IP -e $RACK_ENV \
  --user $AEOLUS_USER --group $AEOLUS_GROUP \
  -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT

Comment 3 Greg Blomquist 2012-06-25 20:41:29 UTC
After a quick chat with Miroslav and Dan on IRC, I believe this amounts to simply updating the aeolus-configserver.service file (https://github.com/aeolusproject/audrey/blob/master/configserver/conf/aeolus-configserver.service), replacing "ExecStart=/usr/bin/thin ..." with "ExecStart=/usr/bin/thinStarter"

Where "/usr/bin/thinStarter" is a script that calls exactly what's in ExecStart today:

/usr/bin/thin start -c $CONFIG_SERVER_DIR -l $THIN_LOG \
  -P $THIN_PID -a $THIN_IP -e $RACK_ENV \
  --user $AEOLUS_USER --group $AEOLUS_GROUP \
  -d --prefix=${PREFIX} -R $CONFIG_SERVER_RACKUP -p $CONFIG_SERVER_PORT

Dan and Miroslav, if I got any of this wrong, please feel free to chime in with any corrections.  And, thanks for the help in IRC!

Comment 4 Miroslav Grepl 2012-06-26 11:07:36 UTC
Great. I am just adding fixes to rawhide and then I am going to backport it to F17 and build a new scratch build for testing.

Comment 5 Miroslav Grepl 2012-06-26 12:49:05 UTC
Greg,
could you test it with

http://koji.fedoraproject.org/koji/taskinfo?taskID=4196484

Comment 6 Greg Blomquist 2012-06-29 14:39:46 UTC
Miroslav,

absolutely!  Thanks for putting that together.  I'll try to get this tested today.

Comment 7 Greg Blomquist 2012-07-03 13:53:53 UTC
Miroslav,

I updated the config server to use a separate script to kick off thin.  This is the way it works now:

  - systemd (ExecStart) -> /usr/bin/aeolus-configserver-thinwrapper
  - aeolus-configserver-thinwrapper -> thin

Before upgrading with your selinux patch, I was able to see the reported error.

After upgrading with your patch, the config server works as expected (i.e., no errors visible to the user).  But, I see several sealerts in /var/log/messages.  I'm including two of the sealerts inline here.  I can add the rest as attachments.

*-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-*

WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1436): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
SELinux is preventing /usr/bin/ruby from create access on the directory aeolus-configserver.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ruby should be allowed create access on the aeolus-configserver directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep thin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:thin_t:s0
Target Context                system_u:object_r:var_run_t:s0
Target Objects                aeolus-configserver [ dir ]
Source                        thin
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          dhcp-230-180.rdu.redhat.com
Source RPM Packages           ruby-1.9.3.194-13.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-133.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-230-180.rdu.redhat.com
Platform                      Linux dhcp-230-180.rdu.redhat.com
                              3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC
                              2012 x86_64 x86_64
Alert Count                   3
First Seen                    Mon 02 Jul 2012 11:31:01 AM EDT
Last Seen                     Mon 02 Jul 2012 01:04:27 PM EDT
Local ID                      3aa91f6c-3bce-4705-bd90-a2d2235da108

Raw Audit Messages
type=AVC msg=audit(1341248667.636:49): avc:  denied  { create } for  pid=760 comm="thin" name="aeolus-configserver" scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1341248667.636:49): arch=x86_64 syscall=mkdir success=yes exit=0 a0=d8f8b0 a1=1ff a2=0 a3=0 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)

Hash: thin,thin_t,var_run_t,dir,create

audit2allow

#============= thin_t ==============
allow thin_t var_run_t:dir create;

audit2allow -R

#============= thin_t ==============
allow thin_t var_run_t:dir create;

*-*-*-*-* 3aa91f6c-3bce-4705-bd90-a2d2235da108 *-*-*-*-*


*-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-*

WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:1439): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
SELinux is preventing /usr/bin/ruby from getattr access on the directory /var/log/aeolus-configserver.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that ruby should be allowed getattr access on the aeolus-configserver directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep thin /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:thin_t:s0
Target Context                system_u:object_r:thin_aeolus_configserver_log_t:s
                              0
Target Objects                /var/log/aeolus-configserver [ dir ]
Source                        thin
Source Path                   /usr/bin/ruby
Port                          <Unknown>
Host                          dhcp-230-180.rdu.redhat.com
Source RPM Packages           ruby-1.9.3.194-13.fc17.x86_64
Target RPM Packages           aeolus-configserver-0.5.0-0.fc17.20120629211041git
                              f92ebde.noarch
Policy RPM                    selinux-policy-3.10.0-133.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-230-180.rdu.redhat.com
Platform                      Linux dhcp-230-180.rdu.redhat.com
                              3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC
                              2012 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 02 Jul 2012 01:04:27 PM EDT
Last Seen                     Mon 02 Jul 2012 01:04:27 PM EDT
Local ID                      1f0ced86-4c5e-4934-93af-0841d8269829

Raw Audit Messages
type=AVC msg=audit(1341248667.637:50): avc:  denied  { getattr } for  pid=760 comm="thin" path="/var/log/aeolus-configserver" dev="dm-1" ino=37415 scontext=system_u:system_r:thin_t:s0 tcontext=system_u:object_r:thin_aeolus_configserver_log_t:s0 tclass=dir


type=SYSCALL msg=audit(1341248667.637:50): arch=x86_64 syscall=stat success=yes exit=0 a0=f1d8a0 a1=7fff911b7800 a2=7fff911b7800 a3=321052f940 items=0 ppid=704 pid=760 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=thin exe=/usr/bin/ruby subj=system_u:system_r:thin_t:s0 key=(null)

Hash: thin,thin_t,thin_aeolus_configserver_log_t,dir,getattr

audit2allow

#============= thin_t ==============
allow thin_t thin_aeolus_configserver_log_t:dir getattr;

audit2allow -R

#============= thin_t ==============
allow thin_t thin_aeolus_configserver_log_t:dir getattr;

*-*-*-*-* 1f0ced86-4c5e-4934-93af-0841d8269829 *-*-*-*-*


Altogether, I found 9 separate sealerts.  Two directories with several alerts, one network operation, and one signal access.

- /var/log/aeolus-configserver
  * create (inlined above)
  * dir getattr (inlined above)
  * search
  * file open

- /var/lib/aeolus-configserver/configs
  * dir getattr
  * file getattr
  * file read open

- SELinux is preventing /usr/bin/ruby from name_bind access on the tcp_socket .
  * port 4567
(the alert here instructs to do:
# semanage port -a -t PORT_TYPE -p tcp 4567
    where PORT_TYPE is one of the following: ntop_port_t.)

- SELinux is preventing /usr/bin/ruby from using the signal access on a process.


Like I said above though, the config server is operating.  There are no errors presented to the user.  There's nothing indicating that the application is unable to perform certain operations.  So, I'm a little baffled at the number of sealerts that showed up.

Hope this helps a little.

Comment 8 Miroslav Grepl 2012-07-03 14:34:14 UTC
Well the problem is the policy has labeling for 

/usr/bin/thinStarter    --  gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)

instead of  /usr/bin/aeolus-configserver-thinwrapper

So you need to execute

# chcon -t thin_aeolus_configserver_exec_t /usr/bin/aeolus-configserver-thinwrapper

and then re-test it. We don't want to have it in the thin_t domain.

Comment 9 Greg Blomquist 2012-07-03 14:38:46 UTC
D'oh!  Sorry, I renamed it to be something more context-specific.

Comment 10 Greg Blomquist 2012-07-05 16:32:49 UTC
After upgrade selinux-policy and changing the security context of aeolus-configserver-thinwrapper to thin_aeolus_configserver_exec_t I get the following in /var/log/messages:

Jul  5 11:56:21 dhcp231-56 aeolus-configserver-thinwrapper[1951]: /bin/bash: error while loading shared libraries: cannot apply additional memory protection after relocation: Permission denied
Jul  5 11:56:21 dhcp231-56 systemd[1]: aeolus-configserver.service: main process exited, code=exited, status=127

Any clues?

Comment 11 Miroslav Grepl 2012-07-09 06:05:38 UTC
# setenforce 0
# ausearch -m avc -ts recent

Comment 12 Greg Blomquist 2012-07-09 14:25:48 UTC
# ausearch -m avc -ts this-month
----
time->Thu Jul  5 11:56:21 2012
type=SYSCALL msg=audit(1341503781.622:158): arch=c000003e syscall=10 success=no exit=-13 a0=6d9000 a1=1000 a2=1 a3=0 items=0 ppid=1 pid=1951 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="aeolus-configse" exe="/usr/bin/bash" subj=system_u:system_r:thin_aeolus_configserver_t:s0 key=(null)
type=AVC msg=audit(1341503781.622:158): avc:  denied  { read } for  pid=1951 comm="aeolus-configse" path="/usr/bin/bash" dev="dm-1" ino=133227 scontext=system_u:system_r:thin_aeolus_configserver_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Comment 13 Miroslav Grepl 2012-07-10 07:04:04 UTC
Ok, could you test it with selinux-policy-3.10.0-138.fc17

Comment 14 Greg Blomquist 2012-07-10 14:01:07 UTC
Will do

Comment 15 Greg Blomquist 2012-09-13 16:15:38 UTC
Added thinwrapper script.
Updated systemd script to call thinwrapper instead of trying to start thin directly.

git hash: 6916146283f4b82e30f6e3fa2ac373382b4ee16d (master)

Comment 16 Fedora Update System 2012-09-18 16:03:33 UTC
aeolus-configserver-0.5.1-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/aeolus-configserver-0.5.1-1.fc18

Comment 17 Fedora Update System 2012-09-20 05:56:52 UTC
Package aeolus-configserver-0.5.1-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing aeolus-configserver-0.5.1-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14375/aeolus-configserver-0.5.1-1.fc18
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2012-09-27 05:14:04 UTC
aeolus-configserver-0.5.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.