Project

General

Profile

Actions

Feature #5930

closed

Implement policy for Katello plugin

Added by Lukas Zapletal over 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Category:
Packaging
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Some rules can be taken from katello-selinux package.


Related issues 1 (0 open1 closed)

Related to SELinux - Refactor #6284: Remove Passenger/init_exec_script_files policyClosedActions
Actions #1

Updated by Dominic Cleal over 10 years ago

This should be a layered policy (katello-selinux), not in foreman-selinux.

Actions #2

Updated by Lukas Zapletal over 10 years ago

Why? Katello is a plugin, like others. There is no big benefit in splitting those.

Also, I don't expect katello policy to be huge. Yes, there is existing katello-selinux, but most of the rules (I expect more than 95%) will not be necessary and are covered by the foreman policy.

Actions #3

Updated by Dominic Cleal over 10 years ago

Ok, see what it involves, but my concern is if changes are needed regularly in a core Foreman project to support a plugin, then we'll get in a mess (better to have the plugin manage their own release schedule, like the installer).

Actions #4

Updated by Lukas Zapletal over 10 years ago

I agree, if we find this annoying, I will work on splitting all the policies. But I hope for 5 lines for Katello, there is nothing special at all.

Actions #5

Updated by Lukas Zapletal over 10 years ago

  • Category set to Packaging
  • Assignee set to Lukas Zapletal
  • Priority changed from Normal to High

Another set of denials:

type=AVC msg=audit(1401810620.485:4502): avc:  denied  { getattr } for  pid=19983 comm="service" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.485:4502): arch=c000003e syscall=4 success=yes exit=0 a0=c84290 a1=7fffbcdf5f20 a2=7fffbcdf5f20 a3=8 items=0 ppid=14901 pid=19983 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="service" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { read open } for  pid=19987 comm="env" name="katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.486:4503): avc:  denied  { execute_no_trans } for  pid=19987 comm="env" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.486:4503): arch=c000003e syscall=59 success=yes exit=0 a0=7fff90befd53 a1=7fff90beef38 a2=11ad060 a3=ffffff00 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4504): avc:  denied  { ioctl } for  pid=19987 comm="katello-jobs" path="/etc/rc.d/init.d/katello-jobs" dev=dm-0 ino=2889442 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4504): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fffd16d8df0 a3=4 items=0 ppid=19983 pid=19987 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="katello-jobs" exe="/bin/bash" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { read open } for  pid=19989 comm="katello-jobs" name="consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=AVC msg=audit(1401810620.487:4505): avc:  denied  { execute_no_trans } for  pid=19989 comm="katello-jobs" path="/sbin/consoletype" dev=dm-0 ino=1703944 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:consoletype_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1401810620.487:4505): arch=c000003e syscall=59 success=yes exit=0 a0=d26990 a1=d269f0 a2=d26a20 a3=10 items=0 ppid=19988 pid=19989 auid=4294967295 uid=497 gid=498 euid=497 suid=497 fsuid=497 egid=498 sgid=498 fsgid=498 tty=(none) ses=4294967295 comm="consoletype" exe="/sbin/consoletype" subj=system_u:system_r:passenger_t:s0 key=(null)

https://bugzilla.redhat.com/show_bug.cgi?id=1104251

Actions #6

Updated by Lukas Zapletal over 10 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1104251
Actions #7

Updated by Lukas Zapletal over 10 years ago

Combined two BZs into this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1084013

Actions #8

Updated by Lukas Zapletal over 10 years ago

  • Status changed from New to Ready For Testing
  • Target version set to 1.8.2
  • Translation missing: en.field_release set to 10

https://github.com/theforeman/foreman-selinux/pull/21

Note for myself: there are two downstream bugzillas for this one.

Actions #9

Updated by Anonymous over 10 years ago

  • Target version changed from 1.8.2 to 1.8.1
Actions #10

Updated by Dominic Cleal over 10 years ago

  • Related to Refactor #6284: Remove Passenger/init_exec_script_files policy added
Actions #11

Updated by Anonymous over 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF