Created attachment 391754 [details, diff] run_init patch As a part of writing a puppet selinux policy, I got segway'd into a sidebar about puppet running selinux-aware services. I decided that puppet needs to be smart and utilize the run_init process in order to have things run under the right context. Enabling that is a whole separate bug report which I'm mulling over (not sure who gets it yet), but the process of figuring that out revealed a major issue. Here is the problem illustrated puppetmaster ~ # run_init meow; echo $? Authenticating root. Exec:: No such file or directory 0 puppetmaster ~ # meow; echo $? -bash: meow: command not found 127 puppetmaster ~ # run_init service ntpd status; echo $? Authenticating root. * status: stopped 0 puppetmaster ~ # service ntpd status; echo $? * status: stopped 3 (unconfined on the centos 6 host, permissive on the gentoo host, respectively) In short, return codes from processes that run_init executes are ignored. This is a BIG though subtle problem. Without run_init, an enforcing system will return permission denied for status queries. The context for this problem is puppet, which utilizes init tools like rc-status and whatnot in order to determine how a service is doing. When everything returns 0, puppet thinks everything is running properly. This, by the way, is a general problem not restricted to puppet. This is just my current use case and context. It turns out that RedHat solved this issue with a tiny patch, which I've attached to this bug report. Why this patch works is unclear to me. My guess would be that the arguments passed to /usr/sbin/open_init_pty are a bit weirdly structured as the patch basically moves some argument entries around. Would have to tear into it a lot more but I've thrown enough time into this overall problem today. This is the result with this patch applied to policycoreutils 2.3 on a gentoo test VM: gentoo_test policycoreutils-2.3 # run_init service ntpd status; echo $? Authenticating root. * status: stopped 3 gentoo_test policycoreutils-2.3 # service ntpd status; echo $? * status: stopped 3 gentoo_test policycoreutils-2.3 # It also has the expected/desired behavior within puppet, once some other related work is done to tell it to use run_init: Debug: Executing '/usr/sbin/run_init /sbin/rc-service ntpd status' Debug: Executing '/bin/rc-status -C -a' Debug: Executing '/usr/sbin/run_init /sbin/rc-service ntpd start' Debug: Executing '/bin/rc-status -C -a' Notice: /Stage[main]/Node::Gentoo_test/Service[ntpd]/ensure: ensure changed 'stopped' to 'running' Debug: /Stage[main]/Node::Gentoo_test/Service[ntpd]: The container Class[Node::Gentoo_test] will propagate my refresh event Info: /Stage[main]/Node::Gentoo_test/Service[ntpd]: Unscheduling refresh on Service[ntpd]
Upstream discussion: http://marc.info/?t=141864364300001&r=1&w=2
Created attachment 391790 [details] open_init_pty.c based on debian version After speaking with bigon i found out they have been carrying a patch to open_init_pty for quite a while. It used to have some C++ in it, so i modified it to be in plain C only. This should fix a bunch of issues. I am going to test it for a while and would appreciate others testing it too. If it goes well and bigon has no issues either, we'll try and upstream it. To compile, replace the file in the repo and make.
This patch resolves the underlying issue of stomping return codes while preserving the functionality of open_init_pty, and otherwise appears to work OK for my limited testing.
I have sent the patch for open_init_pty to the mailing list: http://article.gmane.org/gmane.comp.security.selinux/21374
Any movement on this? This is confusing puppet on my systems because run_init is clobbering the return code of things, so it doesn't know if a service is running or not. This still happens in policycoreutils 2.4, as well.
this is already in 2.5