Project

General

Profile

Actions
Copy link

Bug #5924

closed

Puppetmaster denial for node.rb

Added by Lukas Zapletal over 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
-
Target version:
1.6.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

I am getting this one:

type=AVC msg=audit(1401094926.717:390): avc: denied { execute } for pid=15328 comm="ruby" name="node.rb" dev=dm-0 ino=2102058 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1401094926.717:390): avc: denied { execute_no_trans } for pid=15328 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2102058 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

I think I saw that previously.

Related issues 1 (0 open1 closed)

Related to SELinux - Bug #3895: AVC denials from Foreman 1.3 installationResolved12/17/2013Actions
Actions
Copy link
 #1

Updated by Lukas Zapletal over 10 years ago

  • Related to Bug #3895: AVC denials from Foreman 1.3 installation added
Actions
Copy link
 #2

Updated by Lukas Zapletal over 10 years ago

Ok it looks like this was not resolved (see the related bug). We need a rule for this.

Actions
Copy link
 #3

Updated by Lukas Zapletal over 10 years ago

  • Category set to Packaging
  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Target version set to 1.8.2

Ok the problem appears when node.rb has puppet_etc_t. After we call foreman-selinux-relabel the context is corrected. It looks like we deploy node.rb via puppet, therefore the relabel step is called BEFORE (during foreman-selinux rpm transaction). Thus it has wrong context.

[root@ibm-hs23-02 ~]# foreman-selinux-relabel 
/sbin/restorecon reset /usr/share/foreman/config/hooks context system_u:object_r:bin_t:s0->system_u:object_r:foreman_hook_t:s0
/sbin/restorecon reset /etc/foreman context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/client_key.pem context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/encryption_key.rb context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/client_ca.pem context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/database.yml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/client_cert.pem context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/settings.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/email.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/plugins context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/plugins/katello.yaml context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/plugins/katello context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/foreman/plugins/katello/client.conf context system_u:object_r:etc_t:s0->system_u:object_r:foreman_config_t:s0
/sbin/restorecon reset /etc/puppet/node.rb context system_u:object_r:puppet_etc_t:s0->system_u:object_r:foreman_enc_t:s0

Ignore all the lines except the node.rb - this is bug in RHEL6 which will likely never be fixed: if a context is an alias, then restorecon restores to original context rather than alias.

Rather than relabeling this, I have decided to drop foreman_enc_t and use puppet_etc_t instead. It is not big deal since there are none dangerous executable files with this domain.

Putting the fix into: https://github.com/theforeman/foreman-selinux/pull/18

Actions
Copy link
 #4

Updated by Lukas Zapletal over 10 years ago

  • Project changed from SELinux to Installer
  • Category deleted (Packaging)

Instead of dropping the type, I will make sure that installer sets proper selinux file label.

Actions
Copy link
 #5

Updated by Anonymous over 10 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions
Copy link
 #6

Updated by Lukas Zapletal over 10 years ago

  • Status changed from Ready For Testing to Assigned

This issue was NOT fixed in the PR menioned. I need to do seltype in Puppet.

Actions
Copy link
 #7

Updated by Lukas Zapletal over 10 years ago

  • Status changed from Assigned to Ready For Testing
Actions
Copy link
 #8

Updated by Anonymous over 10 years ago

  • Target version changed from 1.8.1 to 1.8.0
Actions
Copy link
 #9

Updated by Dominic Cleal over 10 years ago

Seen on a second run of the installer:

# [ WARN 2014-07-07 14:37:02 verbose]  /File[/etc/puppet/node.rb]/seltype: seltype changed 'puppet_etc_t' to 'foreman_enc_t'

This agrees with the theory presented in the PR comments, which is that it's ordering related (node.rb being evaled before foreman-selinux is installed).

Actions
Copy link
 #10

Updated by Anonymous over 10 years ago

  • Target version changed from 1.8.0 to 1.7.5
Actions
Copy link
 #11

Updated by Dominic Cleal over 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
  • Translation missing: en.field_release set to 10
Actions
Copy link

Also available in: Atom PDF