-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SELinux policies for plugins #15
Conversation
Renamed this PR to "SELinux policies for plugins". I am done with this, @domcleal |
miscfiles_read_localization(websockify_t) | ||
sysnet_read_config(websockify_t) | ||
|
||
# Prevent websockify from contacting ABRT |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that to stop the exceptions from websockify from propagating into ABRT? Bit hacky doing it here if so ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem here is websockify throws a python stracktrace everytime we try to connect to occupied port. And this is how Foreman works - it loops the ports until websockify starts ok. The problem is that python on RHEL6 is configured with ABRT integration by default, therefore every single try causes ABRT run, which is also quite slow.
I was not able to blacklist websockify, after some discussion with ABRT folks, I have decided this trick to mute that guy. The process is not able to connect to ABRT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm aware... but I don't think adding SELinux policy is the way to fix that, especially as it doesn't help in non-enforcing configurations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm aware... but I don't think adding SELinux policy is the way to fix that, especially as it doesn't help in non-enforcing configurations.
But we need to add it here anyway. We can either do dontaudit or allow.
From the two options, dontaudit makes more sense - it also solves the
problem.
ABRT features blacklisting, but that works on a package level. Therefore
on a Foreman installation, we can initiate ABRT investigation 10 times
per click.
To me dontaudit
looks like the better option than allow
.
Yes I admit proper fix should be done. We can either:
-
Drop BlackListedPaths in /etc/abrt/abrt-action-save-package-data.conf
(but when I initially tested this it was not working). We need augeas
to do this. -
Send upstream patch not to bubble up the main method to websockify.
I think this is a different thing, we should raise another issue/pr for
that.
Later,
Lukas "lzap" Zapletal
irc: lzap #theforeman
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, let's use the original issue number #4527 for investigation into that. I'd prefer to stop it triggering the exception, frankly.
However I think if there's a macro that permits access to ABRT we should actually use this and then people can choose to log the exceptions by changing the config, particularly if we stop it triggering exceptions while finding a free port. This will be more useful in the long term.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ping?
Do we have something to permit passenger_t to execute websockify_exec_t, or does it have free reign to execute any label right now? |
It has quite loose rights on execution, yeah.
|
But this is covered by
|
Ah yes, thanks, I missed that. |
I don't think that #5446 is our bug, it should be handled in the distribution policy. (From my reading of the AVC, it's not the puppetmaster at all, it's just Postfix searching a dir it probably shouldn't be.) |
On Fri, Apr 25, 2014 at 05:48:11AM -0700, Dominic Cleal wrote:
But we already carry bunch of fixes there. Later, Lukas "lzap" Zapletal |
Ok I have reworded issue number for the websockify, sorry. You check for this as well? Uh. |
We don't carry any fixes for Postfix, do we - assuming as I said, that I'm reading the AVC correctly? |
Issue number in the websockify commit still seems to point to #4527 rather than #4569? |
Youre right, I missed that tiny detail. Dropped. |
Hmm reworded incorrectly. Thanks. Later, Lukas "lzap" Zapletal |
Later, Lukas "lzap" Zapletal |
Added one more fix |
Ok pushed, review, then I will squash. |
👍 thanks! |
Squashed |
My F19 scratch build is failing: http://koji.katello.org/koji/getfile?taskID=103204&name=build.log Compiling targeted foreman module foreman.te":280:ERROR 'type bin_t is not within scope' at token ';' on line 7575: typealias bin_t alias foreman_hook_t; /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from tmp/foreman.tmp |
# Foreman Hooks plugin | ||
# | ||
|
||
typealias bin_t alias foreman_hook_t; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we just missing bin_t from requires?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We were, fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry about that, thanks.
I am currently enjoying quite interesting gdb session :-)
Later,
Lukas "lzap" Zapletal
irc: lzap #theforeman
Do not merge yet - I will be adding policies for all our plugins in this PR.
Please review.