Red Hat Bugzilla – Bug 970828
SELinux blocks openshift_facts.rb from getting ssh key fingerprint
Last modified: 2015-05-14 19:12:03 EDT
Description of problem: SELinux blocks openshift_facts.rb from running ssh-keygen on /etc/ssh/ssh_host_rsa_key to get the fingerprint for the sshfp fact. Version-Release number of selected component (if applicable): How reproducible: Thoroughly. Steps to Reproduce: 1. Install an OSE-1.2 broker host and a OSE-1.2 node host using a recent puddle. 2. Run `mco facts sshfp` on the broker host. 3. On the node host, create a file openshift-facts.te: [root@node01 ~]# cat >openshift-facts.te<<EOF policy_module(openshift-facts, 1.0) require { type openshift_cron_t; role system_r; type sshd_key_t; } ssh_run_keygen(openshift_cron_t, system_r) EOF 4. Compile openshift-facts.te and load the resulting SELinux module: [root@node01 ~]# make -f /usr/share/selinux/devel/Makefile Compiling targeted openshift-facts module /usr/bin/checkmodule: loading policy configuration from tmp/openshift-facts.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/openshift-facts.mod Creating targeted openshift-facts.pp policy package rm tmp/openshift-facts.mod tmp/openshift-facts.mod.fc [root@node01 ~]# semodule -i openshift-facts.pp 5. Let the openshift-facts cronjob run on the node host with the new SELinux module, and then run `mco facts sshfp` again on the broker host. Actual results: At Step 2, the output of `mco facts sshfp` does not include any ssh fingerprints: [root@broker ~]# mco facts sshfp Report for fact: sshfp Finished processing 2 / 2 hosts in 3761.33 ms At Step 5, the output of `mco facts sshfp` does include an ssh fingerprint: [root@broker ~]# mco facts sshfp Report for fact: sshfp node01.example.com IN SSHFP 1 1 e39191c72765a21fa49d5d25ba0f3059e90c0345 found 1 times Finished processing 2 / 2 hosts in 884.50 ms Expected results: I would expect the actual output at Step 2 should look like the actual output at Step 5. Additional info: I put an invocation of `id` in the cronjob that runs openshift_facts.rb, and `id` showed the following: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023 openshift_facts.rb runs ssh-keygen as follows: Facter.add(:sshfp) do setcode { %x[/usr/bin/ssh-keygen -r $(hostname) -f /etc/ssh/ssh_host_rsa_key ]} end I ran `ls -lZ /usr/bin/ssh-keygen` and got the following: -rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen I see the following in the RHEL64 openshift.te: optional_policy(` ssh_exec_keygen(openshift_cron_t) ssh_dontaudit_read_server_keys(openshift_cron_t) ') I don't understand the macros well enough to say whether the stanza in openshift.te is incorrect, incomplete, or unrelated, or whether my solution is the most correct one.
*** This bug has been marked as a duplicate of bug 1006641 ***