Project

General

Profile

Actions

Bug #9972

closed

foreman_openscap don't work with SELinux in enforcing mode

Added by Baptiste Agasse almost 9 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.

foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)

type=AVC msg=audit(1427808795.006:1501): avc:  denied  { execmem } for  pid=825 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1427808795.006:1501): arch=c000003e syscall=10 success=no exit=-13 a0=7ffd5b3ac000 a1=1000 a2=5 a3=7fffb96072f0 items=0 ppid=822 pid=825 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
Actions #1

Updated by Lukas Zapletal almost 9 years ago

This is due to assets not being precompiled. Google V8 engine is broken doing weird things like execmem which we do not allow for security reasons.

http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Plugin#Generating-plugin-assets

Actions #2

Updated by Shlomi Zadok almost 9 years ago

  • Pull request https://github.com/OpenSCAP/scaptimony/pull/23 added
  • Pull request deleted ()

foreman_openscap assets:precompile are called here: https://github.com/OpenSCAP/foreman_openscap/blob/master/lib/foreman_openscap/engine.rb#L19

I suspect that the Scaptimony assets are never asked to precompile and opened a PR to remove them: https://github.com/OpenSCAP/scaptimony/pull/23

Actions #3

Updated by Lukas Zapletal almost 9 years ago

Assets are not the problem, sorry.

Library libffi has this special check if SELinux is enabled (https://github.com/ffi/ffi/blob/master/ext/ffi_c/libffi/src/closures.c#L133-L164) and if it is, it prevents from EXECMEM (http://www.akkadia.org/drepper/selinux-mem.html). The ruby ffi gem was provided from Simons package, please check if the library is built against the correct libffi. I can't tell, but obviously something is mounting mmap incorrectly and I suspect this is it.

http://copr-be.cloud.fedoraproject.org/results/isimluk/OpenSCAP/epel-7-x86_64/ruby193-rubygem-ffi-1.9.3-3.el7/build.log

Actions #4

Updated by Shlomi Zadok almost 9 years ago

  • Assignee set to Šimon Lukašík
Actions #5

Updated by Lukas Zapletal almost 9 years ago

It looks like both libffi in EPEL7 and Simon's library (linked to system libffi) contain the selinux check function:

[root@hp-nehalem-01 ~]# strings /usr/lib64/libffi.so.6.0.1 | grep selinux
/selinux
selinuxfs 
[root@hp-nehalem-01 ~]# ldd /opt/rh/ruby193/root/usr/lib64/gems/exts/ffi-1.9.3/lib/ffi_c.so
        linux-vdso.so.1 =>  (0x00007fff3c3fe000)
        libruby.so.1.9 => not found
        libffi.so.6 => /lib64/libffi.so.6 (0x00007f8184d0d000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8184af1000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f81848e9000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f81846e4000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f81844ad000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f81841ab000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f8183de9000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f8185141000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f8183be6000)

I just realized that openscap library does use mmap too, that might be problem. You should implement the similar workaround for SELinux there.

WORKAROUND FOR USERS: Set allow_execmem SELinux boolean.

Actions #6

Updated by Shlomi Zadok almost 9 years ago

  • Target version set to 0.4.0
Actions #7

Updated by Šimon Lukašík almost 9 years ago

  • Target version deleted (0.4.0)
  • Pull request added
  • Pull request deleted (https://github.com/OpenSCAP/scaptimony/pull/23)

I cannot confirm this bug is related to libopenscap.

Here is the narrow reproducer:

require 'ffi'
module LibC
  extend FFI::Library
  ffi_lib FFI::Library::LIBC
  attach_function :free, [:pointer], :void
end

If you run this in any domain (which has execmen not allowed/dontaduted) you will see avc denial similar to the upper mentioned.

Actions #8

Updated by Eduardo Hernacki about 8 years ago

Baptiste Agasse wrote:

Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.

foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)

[...]

I'm still having the same issue with Foreman 1.10. My setup is:

CentOS 7.2 + katello-2.4.0-7.el7.noarch + foreman-1.10.0-1.el7.noarch + tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch

I noted the problems began when I installed tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch, and I'm getting HTTP 500 error in Apache.

My audit.log shows the following when I'm trying to access Foreman's portal:

type=AVC msg=audit(1452956110.816:19612): avc: denied { execmem } for pid=32580 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.088:19613): avc: denied { execmem } for pid=32566 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.383:19614): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/hugepages" dev="hugetlbfs" ino=11860 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19615): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19616): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19617): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=1151 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19618): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpu,cpuacct" dev="cgroup" ino=1177 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19619): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/blkio" dev="cgroup" ino=1197 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19620): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/memory" dev="cgroup" ino=1233 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19621): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/net_cls" dev="cgroup" ino=1268 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19622): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/devices" dev="cgroup" ino=1278 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19623): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/hugetlb" dev="cgroup" ino=1290 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19624): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/perf_event" dev="cgroup" ino=1303 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19625): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpuset" dev="cgroup" ino=1312 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19626): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/freezer" dev="cgroup" ino=1333 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19627): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/pstore" dev="pstore" ino=1159 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19628): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/kernel/config" dev="configfs" ino=1832 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19629): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.385:19630): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/sda1" dev="devtmpfs" ino=7884 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19631): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-0" dev="devtmpfs" ino=7985 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19632): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.391:19633): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/private" dev="tmpfs" ino=10790 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19634): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmpolld.socket" dev="tmpfs" ino=10814 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19635): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/NetworkManager/private" dev="tmpfs" ino=15680 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19636): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/shutdownd" dev="tmpfs" ino=10834 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19637): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/notify" dev="tmpfs" ino=1379 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19638): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmetad.socket" dev="tmpfs" ino=10898 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19639): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/udev/control" dev="tmpfs" ino=10919 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19640): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19641): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/wsgi.27654.0.1.sock" dev="tmpfs" ino=986600 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19642): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19643): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19644): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19645): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19646): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19647): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19648): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19649): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

Actions #9

Updated by Ondřej Pražák over 2 years ago

  • Status changed from New to Closed

Foreman 1.10 is no longer supported and the same issue has not been reported for the latest releases, therefore closing. Feel free to reopen if it appears again.

Actions

Also available in: Atom PDF