New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixes 2789 - selinux denials #4
Conversation
') | ||
|
||
tunable_policy(`httpd_run_foreman', ` | ||
allow httpd_t self:capability { fowner sys_resource }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two things strike me as odd about this.. one is that the AVCs appear to be relating to a Passenger daemon running in the httpd_t context rather than passenger_t.
The other is that my RHEL 6 host appears to permit this already:
# sesearch --allow -s httpd_t -c capability -p fowner Found 1 semantic av rules: allow httpd_t httpd_t : capability { fowner fsetid sys_resource } ; # rpm -q selinux-policy-targeted selinux-policy-targeted-3.7.19-195.el6.noarch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah right because you have httpd_setrlimit bool turned on.
I mis-read the audit2allow comment, I think I can remove those two lines completely as these are covered by setrlimit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the second thing - there is one design issue with mod_passenger - some code is running within httpd context. It's by design of mod_passenger and we cannot really do about it. Let me ask again tomorrow to confirm this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still have httpd_setrlimit off, interestingly enough.. sesearch shouldn't show me results for policy that's turned off, should it?
Noted about httpd_t domain, makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok removed that block as it looks like it is not needed.
Adding new block - solves Fedora 19 denials:
type=AVC msg=audit(1374627407.297:1387): avc: denied { search } for pid=1961 comm="httpd" name="puppet" dev="vda1" ino=29386 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i see dev=vda there, is there a way to generalize it to work on non virt
systems (with sda) too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do you see vda? In the denial line? Sure, but the rule I just pushed is generic:
tunable_policy(`httpd_run_foreman', `
corenet_tcp_connect_puppet_port(httpd_t)
puppet_read_config(httpd_t)
')
This fixes all denials I had. But I was not able to reproduce
"/sbin/ifconfig" exec.
I have put together few SELinux notes here, feel free to edit:
http://projects.theforeman.org/projects/foreman/wiki/SELinux