Project

General

Profile

Bug #9972

foreman_openscap don't work with SELinux in enforcing mode

Added by Baptiste Agasse over 6 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.

foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)

type=AVC msg=audit(1427808795.006:1501): avc:  denied  { execmem } for  pid=825 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1427808795.006:1501): arch=c000003e syscall=10 success=no exit=-13 a0=7ffd5b3ac000 a1=1000 a2=5 a3=7fffb96072f0 items=0 ppid=822 pid=825 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)

History

#1 Updated by Lukas Zapletal over 6 years ago

This is due to assets not being precompiled. Google V8 engine is broken doing weird things like execmem which we do not allow for security reasons.

http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Plugin#Generating-plugin-assets

#2 Updated by Shlomi Zadok over 6 years ago

  • Pull request https://github.com/OpenSCAP/scaptimony/pull/23 added
  • Pull request deleted ()

foreman_openscap assets:precompile are called here: https://github.com/OpenSCAP/foreman_openscap/blob/master/lib/foreman_openscap/engine.rb#L19

I suspect that the Scaptimony assets are never asked to precompile and opened a PR to remove them: https://github.com/OpenSCAP/scaptimony/pull/23

#3 Updated by Lukas Zapletal over 6 years ago

Assets are not the problem, sorry.

Library libffi has this special check if SELinux is enabled (https://github.com/ffi/ffi/blob/master/ext/ffi_c/libffi/src/closures.c#L133-L164) and if it is, it prevents from EXECMEM (http://www.akkadia.org/drepper/selinux-mem.html). The ruby ffi gem was provided from Simons package, please check if the library is built against the correct libffi. I can't tell, but obviously something is mounting mmap incorrectly and I suspect this is it.

http://copr-be.cloud.fedoraproject.org/results/isimluk/OpenSCAP/epel-7-x86_64/ruby193-rubygem-ffi-1.9.3-3.el7/build.log

#4 Updated by Shlomi Zadok over 6 years ago

  • Assignee set to Šimon Lukašík

#5 Updated by Lukas Zapletal over 6 years ago

It looks like both libffi in EPEL7 and Simon's library (linked to system libffi) contain the selinux check function:

[root@hp-nehalem-01 ~]# strings /usr/lib64/libffi.so.6.0.1 | grep selinux
/selinux
selinuxfs 
[root@hp-nehalem-01 ~]# ldd /opt/rh/ruby193/root/usr/lib64/gems/exts/ffi-1.9.3/lib/ffi_c.so
        linux-vdso.so.1 =>  (0x00007fff3c3fe000)
        libruby.so.1.9 => not found
        libffi.so.6 => /lib64/libffi.so.6 (0x00007f8184d0d000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8184af1000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f81848e9000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f81846e4000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f81844ad000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f81841ab000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f8183de9000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f8185141000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f8183be6000)

I just realized that openscap library does use mmap too, that might be problem. You should implement the similar workaround for SELinux there.

WORKAROUND FOR USERS: Set allow_execmem SELinux boolean.

#6 Updated by Shlomi Zadok over 6 years ago

  • Target version set to 0.4.0

#7 Updated by Šimon Lukašík over 6 years ago

  • Target version deleted (0.4.0)
  • Pull request added
  • Pull request deleted (https://github.com/OpenSCAP/scaptimony/pull/23)

I cannot confirm this bug is related to libopenscap.

Here is the narrow reproducer:

require 'ffi'
module LibC
  extend FFI::Library
  ffi_lib FFI::Library::LIBC
  attach_function :free, [:pointer], :void
end

If you run this in any domain (which has execmen not allowed/dontaduted) you will see avc denial similar to the upper mentioned.

#8 Updated by Eduardo Hernacki over 5 years ago

Baptiste Agasse wrote:

Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.

foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)

[...]

I'm still having the same issue with Foreman 1.10. My setup is:

CentOS 7.2 + katello-2.4.0-7.el7.noarch + foreman-1.10.0-1.el7.noarch + tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch

I noted the problems began when I installed tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch, and I'm getting HTTP 500 error in Apache.

My audit.log shows the following when I'm trying to access Foreman's portal:

type=AVC msg=audit(1452956110.816:19612): avc: denied { execmem } for pid=32580 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.088:19613): avc: denied { execmem } for pid=32566 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.383:19614): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/hugepages" dev="hugetlbfs" ino=11860 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19615): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19616): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19617): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=1151 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19618): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpu,cpuacct" dev="cgroup" ino=1177 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19619): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/blkio" dev="cgroup" ino=1197 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19620): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/memory" dev="cgroup" ino=1233 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19621): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/net_cls" dev="cgroup" ino=1268 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19622): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/devices" dev="cgroup" ino=1278 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19623): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/hugetlb" dev="cgroup" ino=1290 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19624): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/perf_event" dev="cgroup" ino=1303 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19625): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpuset" dev="cgroup" ino=1312 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19626): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/freezer" dev="cgroup" ino=1333 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19627): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/pstore" dev="pstore" ino=1159 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19628): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/kernel/config" dev="configfs" ino=1832 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19629): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.385:19630): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/sda1" dev="devtmpfs" ino=7884 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19631): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-0" dev="devtmpfs" ino=7985 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19632): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.391:19633): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/private" dev="tmpfs" ino=10790 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19634): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmpolld.socket" dev="tmpfs" ino=10814 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19635): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/NetworkManager/private" dev="tmpfs" ino=15680 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19636): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/shutdownd" dev="tmpfs" ino=10834 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19637): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/notify" dev="tmpfs" ino=1379 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19638): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmetad.socket" dev="tmpfs" ino=10898 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19639): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/udev/control" dev="tmpfs" ino=10919 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19640): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19641): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/wsgi.27654.0.1.sock" dev="tmpfs" ino=986600 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19642): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19643): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19644): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19645): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19646): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19647): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19648): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19649): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

Also available in: Atom PDF