Bug 970828 - SELinux blocks openshift_facts.rb from getting ssh key fingerprint
Summary: SELinux blocks openshift_facts.rb from getting ssh key fingerprint
Keywords:
Status: CLOSED DUPLICATE of bug 1006641
Alias: None
Product: OKD
Classification: Red Hat
Component: Containers
Version: 2.x
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Rob Millner
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-05 02:48 UTC by Miciah Dashiel Butler Masters
Modified: 2015-05-14 23:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-21 17:28:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Miciah Dashiel Butler Masters 2013-06-05 02:48:02 UTC 
Description of problem:
SELinux blocks openshift_facts.rb from running ssh-keygen on /etc/ssh/ssh_host_rsa_key to get the fingerprint for the sshfp fact.

Version-Release number of selected component (if applicable):


How reproducible:
Thoroughly.

Steps to Reproduce:

1. Install an OSE-1.2 broker host and a OSE-1.2 node host using a recent puddle.

2. Run `mco facts sshfp` on the broker host.

3. On the node host, create a file openshift-facts.te:

[root@node01 ~]# cat >openshift-facts.te<<EOF  

policy_module(openshift-facts, 1.0)

require {
        type openshift_cron_t;
        role system_r;
        type sshd_key_t;
}

ssh_run_keygen(openshift_cron_t, system_r)
EOF

4. Compile openshift-facts.te and load the resulting SELinux module:

[root@node01 ~]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted openshift-facts module
/usr/bin/checkmodule:  loading policy configuration from tmp/openshift-facts.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/openshift-facts.mod
Creating targeted openshift-facts.pp policy package
rm tmp/openshift-facts.mod tmp/openshift-facts.mod.fc
[root@node01 ~]# semodule -i openshift-facts.pp

5. Let the openshift-facts cronjob run on the node host with the new SELinux module, and then run `mco facts sshfp` again on the broker host.

Actual results:

At Step 2, the output of `mco facts sshfp` does not include any ssh fingerprints:

[root@broker ~]# mco facts sshfp
Report for fact: sshfp


Finished processing 2 / 2 hosts in 3761.33 ms

At Step 5, the output of `mco facts sshfp` does include an ssh fingerprint:

[root@broker ~]# mco facts sshfp
Report for fact: sshfp

        node01.example.com IN SSHFP 1 1 e39191c72765a21fa49d5d25ba0f3059e90c0345

found 1 times

Finished processing 2 / 2 hosts in 884.50 ms

Expected results:

I would expect the actual output at Step 2 should look like the actual output at Step 5.

Additional info:

I put an invocation of `id` in the cronjob that runs openshift_facts.rb, and `id` showed the following:

uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023

openshift_facts.rb runs ssh-keygen as follows:

Facter.add(:sshfp) do
    setcode { %x[/usr/bin/ssh-keygen -r $(hostname) -f /etc/ssh/ssh_host_rsa_key
]}
end

I ran `ls -lZ /usr/bin/ssh-keygen` and got the following:

-rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen

I see the following in the RHEL64 openshift.te:

optional_policy(`
   ssh_exec_keygen(openshift_cron_t)
   ssh_dontaudit_read_server_keys(openshift_cron_t)
')

I don't understand the macros well enough to say whether the stanza in openshift.te is incorrect, incomplete, or unrelated, or whether my solution is the most correct one.
Comment 1 Rob Millner 2013-10-21 17:28:08 UTC 

*** This bug has been marked as a duplicate of bug 1006641 ***
Note You need to log in before you can comment on or make changes to this bug.