Feature #5930

Implement policy for Katello plugin

Added by Lukas Zapletal about 4 years ago. Updated 7 days ago.

Status:Closed
Priority:High
Assignee:Lukas Zapletal
Category:Packaging
Target version:1.6.0
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link:1104251 Found in Releases:
Pull request:

Description

Some rules can be taken from katello-selinux package.


Related issues

Related to SELinux - Refactor #6284: Remove Passenger/init_exec_script_files policy New 06/19/2014

Associated revisions

Revision 0578ccf1
Added by Lukas Zapletal about 4 years ago

fixes #5930 - implement katello selinux policy

Revision 55326848
Added by Lukas Zapletal about 4 years ago

fixes #5930 - fix katello-jobs domain

History

#1 Updated by Dominic Cleal about 4 years ago

This should be a layered policy (katello-selinux), not in foreman-selinux.

#2 Updated by Lukas Zapletal about 4 years ago

Why? Katello is a plugin, like others. There is no big benefit in splitting those.

Also, I don't expect katello policy to be huge. Yes, there is existing katello-selinux, but most of the rules (I expect more than 95%) will not be necessary and are covered by the foreman policy.

#3 Updated by Dominic Cleal about 4 years ago

Ok, see what it involves, but my concern is if changes are needed regularly in a core Foreman project to support a plugin, then we'll get in a mess (better to have the plugin manage their own release schedule, like the installer).

#4 Updated by Lukas Zapletal about 4 years ago

I agree, if we find this annoying, I will work on splitting all the policies. But I hope for 5 lines for Katello, there is nothing special at all.

#5 Updated by Lukas Zapletal about 4 years ago

  • Category set to Packaging
  • Assignee set to Lukas Zapletal
  • Priority changed from Normal to High

Another set of denials:

type=AVC msg=audit(1401810620.485:4502): avc:  denied  { getattr } for  pid=19983 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.485:4502): arch=c000003e syscall=4 success=yes exit=0 a0=c84290 a1=7fffbcdf5f20 a2=7fffbcdf5f20 a3=8 items=0 ppid=14901 pid=19983 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { read open } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute_no_trans } for  pid=19987 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.486:4503): arch=c000003e syscall=59 success=yes exit=0 a0=7fff90befd53 a1=7fff90beef38 a2=11ad060 a3=ffffff00 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4504): avc:  denied  { ioctl } for  pid=19987 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffd16d8df0 a3=4 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { read open } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute_no_trans } for  pid=19989 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4505): arch=c000003e syscall=59 success=yes exit=0 a0=d26990 a1=d269f0 a2=d26a20 a3=10 items=0 ppid=19988 pid=19989 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null)

https://bugzilla.redhat.com/show_bug.cgi?id=1104251

#6 Updated by Lukas Zapletal about 4 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1104251

#7 Updated by Lukas Zapletal about 4 years ago

Combined two BZs into this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1084013

#8 Updated by Lukas Zapletal about 4 years ago

  • Status changed from New to Ready For Testing
  • Target version set to 1.8.2
  • Legacy Backlogs Release (now unused) set to 10

https://github.com/theforeman/foreman-selinux/pull/21

Note for myself: there are two downstream bugzillas for this one.

#9 Updated by Dmitri Dolguikh about 4 years ago

  • Target version changed from 1.8.2 to 1.8.1

#10 Updated by Dominic Cleal about 4 years ago

  • Related to Refactor #6284: Remove Passenger/init_exec_script_files policy added

#11 Updated by Anonymous about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF