Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377325 - sec-policy/selinux-puppet cannot relabel files
Summary: sec-policy/selinux-puppet cannot relabel files
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-01 20:43 UTC by Matthew Thode ( prometheanfire )
Modified: 2011-10-23 13:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-01 20:43:33 UTC 
told puppet to put a file in /root/.ssh/
file was not relabeled.

Reproducible: Always

Actual Results:  
type=AVC msg=audit(1312231148.723:62): avc:  denied  { name_connect } for  pid=1733 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1312231148.723:62): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=6a9215f8aa0 a2=1c a3=7b6b515c19f8 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1312231148.723:63): avc:  denied  { name_connect } for  pid=1733 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1312231148.723:63): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=6a9214a4220 a2=10 a3=7b6b515c19f8 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1312231150.345:64): avc:  denied  { relabelfrom } for  pid=1733 comm="puppetd" name="authorized_keys" dev=vda3 ino=6678 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ssh_home_t tclass=file
type=SYSCALL msg=audit(1312231150.345:64): arch=c000003e syscall=189 success=no exit=-13 a0=6a920b05970 a1=70ee11c3d3ba a2=6a922199de0 a3=19 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)

Expected Results:  
no audit log :D
Comment 1 Sven Vermeulen 2011-08-10 17:26:43 UTC 
Is the file in /root/.ssh the authorized_keys file?

Because your error shows that puppet_t wants to relabel /from/ ssh_home_t on this file, which is weird since I would expect it to relabel to the proper format ;-)

What label did the file get and what did you expect?
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-10 18:07:10 UTC 
It did create the file correctly, but I think that puppet is actually trying to do something odd.  This might be an ignorable error.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-10 18:40:39 UTC 
My puppet log (to /var/log/messages)

Aug 10 14:34:01 test puppet-agent[1702]: nss_ldap: failed to bind to LDAP server ldaps://ldap.mthode.org: Can't contact LDAP server
Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context root:object_r:user_home_dir_t on /root/.ssh
Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context system_u:object_r:ssh_home_t on /root/.ssh
Aug 10 14:34:04 test puppet-agent[1702]: (/File[/root/.ssh]/ensure) created
Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context root:object_r:user_home_dir_t on /root/.ssh/authorized_keys
Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context system_u:object_r:ssh_home_t on /root/.ssh/authorized_keys
Aug 10 14:34:04 test puppet-agent[1702]: (/File[/root/.ssh/authorized_keys]/ensure) defined content as '{md5}ee663dd9f812a1370f820765503d801c'
Aug 10 14:34:14 test puppet-agent[1702]: Finished catalog run in 14.54 seconds




My audit log

type=AVC msg=audit(1313001559.057:7965): avc:  denied  { name_connect } for  pid=1702 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1313001559.057:7965): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=457f932090 a2=1c a3=7e6b0dc78738 items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001559.057:7966): avc:  denied  { name_connect } for  pid=1702 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket
type=SYSCALL msg=audit(1313001559.057:7966): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=457e027290 a2=10 a3=7e6b0dc78738 items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001568.628:7967): avc:  denied  { relabelfrom } for  pid=1702 comm="puppetd" name=".ssh" dev=vda3 ino=6155 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
type=SYSCALL msg=audit(1313001568.628:7967): arch=c000003e syscall=189 success=no exit=-13 a0=457de94660 a1=76099acf73ba a2=457e4066d0 a3=1e items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001568.631:7968): avc:  denied  { relabelfrom } for  pid=1702 comm="puppetd" name=".ssh" dev=vda3 ino=6155 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=dir
type=SYSCALL msg=audit(1313001568.631:7968): arch=c000003e syscall=189 success=no exit=-13 a0=457e423660 a1=76099acf73ba a2=457f032330 a3=1d items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001568.695:7969): avc:  denied  { relabelfrom } for  pid=1702 comm="puppetd" name="authorized_keys" dev=vda3 ino=7037 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=file
type=SYSCALL msg=audit(1313001568.695:7969): arch=c000003e syscall=189 success=no exit=-13 a0=457dfb6260 a1=76099acf73ba a2=457e483940 a3=1e items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001568.698:7970): avc:  denied  { relabelfrom } for  pid=1702 comm="puppetd" name="authorized_keys" dev=vda3 ino=7037 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=file
type=SYSCALL msg=audit(1313001568.698:7970): arch=c000003e syscall=189 success=no exit=-13 a0=457bf58b50 a1=76099acf73ba a2=457ec82dd0 a3=1d items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null)
type=AVC msg=audit(1313001569.880:7971): avc:  denied  { read } for  pid=8861 comm="nrpe" name="nrpe.cfg" dev=vda3 ino=6958 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:nrpe_etc_t tclass=file
type=SYSCALL msg=audit(1313001569.880:7971): arch=c000003e syscall=2 success=no exit=-13 a0=43420dd1040 a1=0 a2=1b6 a3=0 items=0 ppid=8860 pid=8861 auid=4294967295 uid=103 gid=110 euid=103 suid=103 fsuid=103 egid=110 sgid=110 fsgid=110 tty=(none) ses=4294967295 comm="nrpe" exe="/usr/bin/nrpe" subj=system_u:system_r:nrpe_t key=(null)
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-12 21:53:43 UTC 
Should be in hardened-dev overlay (selinux-puppet-2.20110726-r1), sadly without the ldap fix in it yet (that'll be part of -r2).

The support for relabeling files is handled through the puppet_manage_all_files boolean.
Comment 5 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-17 06:55:52 UTC 
So the only files it cannot relabel are which files?
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-17 19:02:38 UTC 
All files (with attribute file_type) that are not policy_config_t or do not have the security_file_type attribute set.

To find out which attributes a particular label has, use seinfo:

~# seinfo -tshadow_t -x

If it contains file_type and not security_file_type, and it isn't called policy_config_t, then puppet can relabelto/from it.
Comment 7 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-17 19:05:54 UTC 
Ok, so we can't manage selinux (except though portage) with puppet.  At least that is what I am getting.

I will not be able to install a pp module (puppet files are called pp too, so this is confusing, I mean selinux), relabel (as I think is required) and then load the module?
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-29 09:19:52 UTC 
in portage tree (~arch)