Bug 970828 - SELinux blocks openshift_facts.rb from getting ssh key fingerprint
SELinux blocks openshift_facts.rb from getting ssh key fingerprint
Status: CLOSED DUPLICATE of bug 1006641
Product: OpenShift Origin
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Rob Millner
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 22:48 EDT by Miciah Dashiel Butler Masters
Modified: 2015-05-14 19:12 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-21 13:28:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miciah Dashiel Butler Masters 2013-06-04 22:48:02 EDT
Description of problem:
SELinux blocks openshift_facts.rb from running ssh-keygen on /etc/ssh/ssh_host_rsa_key to get the fingerprint for the sshfp fact.

Version-Release number of selected component (if applicable):


How reproducible:
Thoroughly.

Steps to Reproduce:

1. Install an OSE-1.2 broker host and a OSE-1.2 node host using a recent puddle.

2. Run `mco facts sshfp` on the broker host.

3. On the node host, create a file openshift-facts.te:

[root@node01 ~]# cat >openshift-facts.te<<EOF  

policy_module(openshift-facts, 1.0)

require {
        type openshift_cron_t;
        role system_r;
        type sshd_key_t;
}

ssh_run_keygen(openshift_cron_t, system_r)
EOF

4. Compile openshift-facts.te and load the resulting SELinux module:

[root@node01 ~]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted openshift-facts module
/usr/bin/checkmodule:  loading policy configuration from tmp/openshift-facts.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/openshift-facts.mod
Creating targeted openshift-facts.pp policy package
rm tmp/openshift-facts.mod tmp/openshift-facts.mod.fc
[root@node01 ~]# semodule -i openshift-facts.pp

5. Let the openshift-facts cronjob run on the node host with the new SELinux module, and then run `mco facts sshfp` again on the broker host.

Actual results:

At Step 2, the output of `mco facts sshfp` does not include any ssh fingerprints:

[root@broker ~]# mco facts sshfp
Report for fact: sshfp


Finished processing 2 / 2 hosts in 3761.33 ms

At Step 5, the output of `mco facts sshfp` does include an ssh fingerprint:

[root@broker ~]# mco facts sshfp
Report for fact: sshfp

        node01.example.com IN SSHFP 1 1 e39191c72765a21fa49d5d25ba0f3059e90c0345

found 1 times

Finished processing 2 / 2 hosts in 884.50 ms

Expected results:

I would expect the actual output at Step 2 should look like the actual output at Step 5.

Additional info:

I put an invocation of `id` in the cronjob that runs openshift_facts.rb, and `id` showed the following:

uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:openshift_cron_t:s0-s0:c0.c1023

openshift_facts.rb runs ssh-keygen as follows:

Facter.add(:sshfp) do
    setcode { %x[/usr/bin/ssh-keygen -r $(hostname) -f /etc/ssh/ssh_host_rsa_key
]}
end

I ran `ls -lZ /usr/bin/ssh-keygen` and got the following:

-rwxr-xr-x. root root system_u:object_r:ssh_keygen_exec_t:s0 /usr/bin/ssh-keygen

I see the following in the RHEL64 openshift.te:

optional_policy(`
   ssh_exec_keygen(openshift_cron_t)
   ssh_dontaudit_read_server_keys(openshift_cron_t)
')

I don't understand the macros well enough to say whether the stanza in openshift.te is incorrect, incomplete, or unrelated, or whether my solution is the most correct one.
Comment 1 Rob Millner 2013-10-21 13:28:08 EDT

*** This bug has been marked as a duplicate of bug 1006641 ***

Note You need to log in before you can comment on or make changes to this bug.