Hi,

I've been working on a SElinux policy - it's ready for testing. Given the lack of testing outside of my local environments, I wouldn't recommend running this in a production environment yet - there will almost certainly be edge cases I haven't caught.

There's support for all three major database engines and it assumes you're running under Passenger.

Here is how to test it out:

1. Ensure selinux is enforcing (run getenforce if you're unsure)
2. wget http://skottler.fedorapeople.org/foreman/selinux/foreman.pp
3. semodule -i foreman.pp

As always, feel free to respond here, poke me in IRC, or file issues in the bug tracker with any problems/questions/feedback.

I'll send a follow up tomorrow once the smart proxy policy is available.

-Sam

/me dusts off his SELinux skills

So looking first at the file context regexes it's added:

Should config files be labelled as logs? Maybe etc_t or a dedicated type?

/etc/foreman(/.*)? all files
system_u:object_r:httpd_foreman_script_log_t:s0

What paths should this be matching?

foreman regular file
system_u:object_r:httpd_foreman_script_exec_t:s0

I'm getting an AVC from the "Passenger ApplicationSpawner:
/usr/share/foreman" process trying to write to my sqlite database:

type=AVC msg=audit(1362590838.549:39197): avc: denied { write } for
pid=2093 comm="ruby" name="production.sqlite3" dev=dm-0 ino=521782
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

I guess it should be labelled something other than var_lib_t, but what?

There are also labelling issues with the ~foreman/tmp/cache area being
shared between cron jobs and the webapp:

-rw-r–r--. foreman foreman system_u:object_r:cron_var_run_t:s0
/usr/share/foreman/tmp/cache/AF7/A20/default_puppet_environment
-rw-r–r--. foreman foreman system_u:object_r:cron_var_run_t:s0
/usr/share/foreman/tmp/cache/C1B/080/update_environment_from_facts

type=AVC msg=audit(1362591644.778:39250): avc: denied { read } for
pid=2217 comm="ruby" name="ignore_puppet_facts_for_provisioning"
dev=dm-0 ino=526592 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file
type=AVC msg=audit(1362591644.789:39251): avc: denied { unlink } for
pid=2217 comm="ruby" name="ignore_puppet_facts_for_provisioning"
dev=dm-0 ino=526592 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file

There's a UDP binding here, which I suspect is Foreman trying to query
the authoritative DNS servers:

type=AVC msg=audit(1362591697.977:39260): avc: denied { name_bind }
for pid=2217 comm="ruby" src=18683
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

That looks to be it for the Foreman process on my system (Foreman 1.1,
RHEL 6.4, x86_64, sqlite). I've done a simple build but haven't used
compute resources, which probably requires some work too.

Puppet under Passenger looks like it's a problem. I'm seeing a number
of AVCs as it's running in the httpd_t domain: RHBZ#848939 tracks this
for Fedora.

Thanks Sam, I look forward to this working! Can you let us know when
the source is up, it'd be good to read + send patches.

This is compiled module. Can we see the source?

>> Hi,
>>
>> I've been working on a SElinux policy - it's ready for testing. Given the lack of testing outside of my local environments, I wouldn't recommend running this in a production environment yet - there will almost certainly be edge cases I haven't caught.
>>
>> There's support for all three major database engines and it assumes you're running under Passenger.
>>
>> Here is how to test it out:
>>
>> 1. Ensure selinux is enforcing (run getenforce if you're unsure)
>> 2. wget http://skottler.fedorapeople.org/foreman/selinux/foreman.pp
>> 3. semodule -i foreman.pp
> /me dusts off his SELinux skills
Thanks for testing!

> So looking first at the file context regexes it's added:
>
> Should config files be labelled as logs? Maybe etc_t or a dedicated type?
>
> /etc/foreman(/.*)? all files
> system_u:object_r:httpd_foreman_script_log_t:s0
I don't think the configuration should be labelled as a log. etc_t seems
fine, but it might make sense to create foreman_config_t. Completely
open to ideas on that front.

>
> What paths should this be matching?
>
> foreman regular file
> system_u:object_r:httpd_foreman_script_exec_t:s0
>
> I'm getting an AVC from the "Passenger ApplicationSpawner:
> /usr/share/foreman" process trying to write to my sqlite database:
>
> type=AVC msg=audit(1362590838.549:39197): avc: denied { write } for
> pid=2093 comm="ruby" name="production.sqlite3" dev=dm-0 ino=521782
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
I can't reproduce this on RHEL 6.4 - is there anything special about
your environment? Are you using /usr/share/foreman for your installation?

>
> I guess it should be labelled something other than var_lib_t, but what?
var_lib_t seemed to be the closest thing to reasonable, but in
retrospect that probably isn't true

Let me think on this and dig around to find how others are doing it.
>
> There are also labelling issues with the ~foreman/tmp/cache area being
> shared between cron jobs and the webapp:
>
> -rw-r–r--. foreman foreman system_u:object_r:cron_var_run_t:s0
> /usr/share/foreman/tmp/cache/AF7/A20/default_puppet_environment
> -rw-r–r--. foreman foreman system_u:object_r:cron_var_run_t:s0
> /usr/share/foreman/tmp/cache/C1B/080/update_environment_from_facts
>
> type=AVC msg=audit(1362591644.778:39250): avc: denied { read } for
> pid=2217 comm="ruby" name="ignore_puppet_facts_for_provisioning"
> dev=dm-0 ino=526592 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file
> type=AVC msg=audit(1362591644.789:39251): avc: denied { unlink } for
> pid=2217 comm="ruby" name="ignore_puppet_facts_for_provisioning"
> dev=dm-0 ino=526592 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:cron_var_run_t:s0 tclass=file
Fixed. I also included a fix for a few other rake-related issues.
>
> There's a UDP binding here, which I suspect is Foreman trying to query
> the authoritative DNS servers:
>
> type=AVC msg=audit(1362591697.977:39260): avc: denied { name_bind }
> for pid=2217 comm="ruby" src=18683
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Just fixed this. Good catch.
>
> That looks to be it for the Foreman process on my system (Foreman 1.1,
> RHEL 6.4, x86_64, sqlite). I've done a simple build but haven't used
> compute resources, which probably requires some work too.
We spoke about this on IRC, but I tested with ovirt and openstack, but
I'd love to get libvirt tested as well.
>
> Puppet under Passenger looks like it's a problem. I'm seeing a number
> of AVCs as it's running in the httpd_t domain: RHBZ#848939 tracks this
> for Fedora.
I've come across this, too.

>
> Thanks Sam, I look forward to this working! Can you let us know when
> the source is up, it'd be good to read + send patches.
>
Thanks again Dom!

-Sam

Yes, I'll be submitting a pull request tonight.

>>> Hi,
>>>
>>> I've been working on a SElinux policy - it's ready for testing. Given the lack of testing outside of my local environments, I wouldn't recommend running this in a production environment yet - there will almost certainly be edge cases I haven't caught.
>>>
>>> There's support for all three major database engines and it assumes you're running under Passenger.
>>>
>>> Here is how to test it out:
>>>
>>> 1. Ensure selinux is enforcing (run getenforce if you're unsure)
>>> 2. wget http://skottler.fedorapeople.org/foreman/selinux/foreman.pp
>>> 3. semodule -i foreman.pp
>> /me dusts off his SELinux skills
> Thanks for testing!
>
>> So looking first at the file context regexes it's added:
>>
>> Should config files be labelled as logs? Maybe etc_t or a dedicated type?
>>
>> /etc/foreman(/.*)? all files
>> system_u:object_r:httpd_foreman_script_log_t:s0
> I don't think the configuration should be labelled as a log. etc_t seems
> fine, but it might make sense to create foreman_config_t. Completely
> open to ideas on that front.

I agree with foreman_config_t.

>> What paths should this be matching?
>>
>> foreman regular file
>> system_u:object_r:httpd_foreman_script_exec_t:s0

Any thoughts on that - what's httpd_foreman_script_exec_t used for?

>> I'm getting an AVC from the "Passenger ApplicationSpawner:
>> /usr/share/foreman" process trying to write to my sqlite database:
>>
>> type=AVC msg=audit(1362590838.549:39197): avc: denied { write } for
>> pid=2093 comm="ruby" name="production.sqlite3" dev=dm-0 ino=521782
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
> I can't reproduce this on RHEL 6.4 - is there anything special about
> your environment? Are you using /usr/share/foreman for your installation?

There are special things, but hopefully this isn't one of them

It's a package install, so /usr/share/foreman/db is a symlink to
/var/lib/foreman/db. I don't see any rules permitting httpd_t write
access to var_lib_t files:

sesearch --allow -s httpd_t -t var_lib_t

Found 7 semantic av rules:
allow httpd_t var_lib_t : file { ioctl read getattr lock open } ;
allow httpd_t var_lib_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
^^ only directories here
allow httpd_t var_lib_t : lnk_file { read getattr } ;
allow httpd_t file_type : filesystem getattr ;
allow daemon var_lib_t : dir { getattr search open } ;
allow httpd_t var_lib_t : dir { getattr search open } ;
allow httpd_t var_lib_t : dir { getattr search open } ;

>> I guess it should be labelled something other than var_lib_t, but what?
> var_lib_t seemed to be the closest thing to reasonable, but in
> retrospect that probably isn't true
>
> Let me think on this and dig around to find how others are doing it.

Yeah, I think a new type would help for labelling the database and then
httpd_t can be given access to it (rather than all of var_lib_t).

>> That looks to be it for the Foreman process on my system (Foreman 1.1,
>> RHEL 6.4, x86_64, sqlite). I've done a simple build but haven't used
>> compute resources, which probably requires some work too.
> We spoke about this on IRC, but I tested with ovirt and openstack, but
> I'd love to get libvirt tested as well.

Here's a denial using libvirt over SSH:

type=AVC msg=audit(1362644172.651:53): avc: denied { name_connect }
for pid=2204 comm="ssh" dest=22 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket

I didn't see anything when launching an EC2 instance, was expecting
another ssh_port_t as above.

Cheers,

I've submitted a pull request - https://github.com/theforeman/foreman/pull/462/ and a new version of the module is available at http://skottler.fedorapeople.org/foreman/selinux/foreman_03072013.pp.

This pull request incorporates nearly all the changes we spoke about in this thread. The one thing I didn't include is the issue with UDP because I can't recreate it. Dom, if you have the entry from the audit log that'd be greatly appreciated.

Anyhow, let me know if you have any questions.

-Sam

>>>> Hi,
>>>>
>>>> I've been working on a SElinux policy - it's ready for testing. Given the lack of testing outside of my local environments, I wouldn't recommend running this in a production environment yet - there will almost certainly be edge cases I haven't caught.
>>>>
>>>> There's support for all three major database engines and it assumes you're running under Passenger.
>>>>
>>>> Here is how to test it out:
>>>>
>>>> 1. Ensure selinux is enforcing (run getenforce if you're unsure)
>>>> 2. wget http://skottler.fedorapeople.org/foreman/selinux/foreman.pp
>>>> 3. semodule -i foreman.pp
>>> /me dusts off his SELinux skills
>> Thanks for testing!
>>
>>> So looking first at the file context regexes it's added:
>>>
>>> Should config files be labelled as logs? Maybe etc_t or a dedicated type?
>>>
>>> /etc/foreman(/.*)? all files
>>> system_u:object_r:httpd_foreman_script_log_t:s0
>> I don't think the configuration should be labelled as a log. etc_t seems
>> fine, but it might make sense to create foreman_config_t. Completely
>> open to ideas on that front.
> I agree with foreman_config_t.
>
>>> What paths should this be matching?
>>>
>>> foreman regular file
>>> system_u:object_r:httpd_foreman_script_exec_t:s0
> Any thoughts on that - what's httpd_foreman_script_exec_t used for?

It's the public/ directory and its parent (/usr/share/foreman) where the
app code is stored.

>
>>> I'm getting an AVC from the "Passenger ApplicationSpawner:
>>> /usr/share/foreman" process trying to write to my sqlite database:
>>>
>>> type=AVC msg=audit(1362590838.549:39197): avc: denied { write } for
>>> pid=2093 comm="ruby" name="production.sqlite3" dev=dm-0 ino=521782
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
>> I can't reproduce this on RHEL 6.4 - is there anything special about
>> your environment? Are you using /usr/share/foreman for your installation?
> There are special things, but hopefully this isn't one of them
>
> It's a package install, so /usr/share/foreman/db is a symlink to
> /var/lib/foreman/db. I don't see any rules permitting httpd_t write
> access to var_lib_t files:

Ah so my environment is the odd one since I didn't have a symlink.
I'll fix this for both cases.

>
> # sesearch --allow -s httpd_t -t var_lib_t
> Found 7 semantic av rules:
> allow httpd_t var_lib_t : file { ioctl read getattr lock open } ;
> allow httpd_t var_lib_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
> ^^ only directories here
> allow httpd_t var_lib_t : lnk_file { read getattr } ;
> allow httpd_t file_type : filesystem getattr ;
> allow daemon var_lib_t : dir { getattr search open } ;
> allow httpd_t var_lib_t : dir { getattr search open } ;
> allow httpd_t var_lib_t : dir { getattr search open } ;
>
>>> I guess it should be labelled something other than var_lib_t, but what?
>> var_lib_t seemed to be the closest thing to reasonable, but in
>> retrospect that probably isn't true
>>
>> Let me think on this and dig around to find how others are doing it.
> Yeah, I think a new type would help for labelling the database and then
> httpd_t can be given access to it (rather than all of var_lib_t).
>
Agreed.

>>> That looks to be it for the Foreman process on my system (Foreman 1.1,
>>> RHEL 6.4, x86_64, sqlite). I've done a simple build but haven't used
>>> compute resources, which probably requires some work too.
>> We spoke about this on IRC, but I tested with ovirt and openstack, but
>> I'd love to get libvirt tested as well.
> Here's a denial using libvirt over SSH:
>
> type=AVC msg=audit(1362644172.651:53): avc: denied { name_connect }
> for pid=2204 comm="ssh" dest=22 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket
>
> I didn't see anything when launching an EC2 instance, was expecting
> another ssh_port_t as above.

That's odd. I'll setup a libvirt test environment to recreate this problem.

I think that it is not good to add selinux in one huge commit.

This way I could not find (by git blame, git show) why this (randomly
picked) line was added:
allow passenger_t usr_t:dir { write add_name };
?

I would like to see each line (or block of few lines) added in separate
commit. With explanation eg.
mod_passanger tries to write to /foo/bar, which is needed by barbar.
with "denied" lines from audit.log, which you are addressing.

Simply pipe audit.log through audit2allow is not good. Because you
really may not allow some action and just dontaudit them.

And with one huge commit review could not be done. Unless I try to
create the policy from scratch too and compare it with your version.

>>>> What paths should this be matching?
>>>>
>>>> foreman regular file
>>>> system_u:object_r:httpd_foreman_script_exec_t:s0
>> Any thoughts on that - what's httpd_foreman_script_exec_t used for?
>
> It's the public/ directory and its parent (/usr/share/foreman) where the
> app code is stored.

The path probably needs fixing then, it's just a file called "foreman"
at the moment.

>>
>>>> I'm getting an AVC from the "Passenger ApplicationSpawner:
>>>> /usr/share/foreman" process trying to write to my sqlite database:
>>>>
>>>> type=AVC msg=audit(1362590838.549:39197): avc: denied { write } for
>>>> pid=2093 comm="ruby" name="production.sqlite3" dev=dm-0 ino=521782
>>>> scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
>>> I can't reproduce this on RHEL 6.4 - is there anything special about
>>> your environment? Are you using /usr/share/foreman for your installation?
>> There are special things, but hopefully this isn't one of them
>>
>> It's a package install, so /usr/share/foreman/db is a symlink to
>> /var/lib/foreman/db. I don't see any rules permitting httpd_t write
>> access to var_lib_t files:
>
> Ah so my environment is the odd one since I didn't have a symlink.
> I'll fix this for both cases.

It'll need a file context rule too, so it's correctly labelled.

>> Anyhow, let me know if you have any questions.
>
> I think that it is not good to add selinux in one huge commit.

To be honest I don't see the benefit of doing this in several pull
requests. It's going to make getting it working and shipped even more
complex. Getting stuff committed to core is already painstaking and this
would make it even more so. It's not a very long pull request.

>
> This way I could not find (by git blame, git show) why this (randomly
> picked) line was added:
> allow passenger_t usr_t:dir { write add_name };
> ?
>
> I would like to see each line (or block of few lines) added in
> separate commit. With explanation eg.
> mod_passanger tries to write to /foo/bar, which is needed by barbar.
> with "denied" lines from audit.log, which you are addressing.

This will take a lot of time and effort. I don't see any benefit to the
incredible amount of added complexity.

>
> Simply pipe audit.log through audit2allow is not good. Because you
> really may not allow some action and just dontaudit them.

You can see in this conversation that just going through the audit log
isn't what happened.

>
> And with one huge commit review could not be done. Unless I try to
> create the policy from scratch too and compare it with your version.

It's not a "huge" commit; it's 143 lines total. The type enforcement
file is 80 lines. That's completely reasonable to review in a single PR.

I did not meant several PR, but several commits. And all of them can be
in one PR.

Even still, not sure I see the benefit for the amount of time it'll take.

Ohad/Dominic/Greg - any opinion on this?

I can't review the PR itself, as I have no SELinux experience. However,
from a purely operational viewpoint, we have squashed, reviewed, and
committed far, far larger patches with no trouble. Therefore, I cannot see
any benefit to the extra work proposed. If there are problems thrown up by
the review or by later usage, then obviously new commits don't need to be
rebased, but otherwise I'm not in favour of creating more work for small
returns.

Greg

I see where Miroslav's coming from, it's very useful to know the origin
of some of the rules (having just reviewed the PR :)).

I'd be happy with some more comments in the policy really, just to
understand the reasoning behind them or in the case of stuff from
audit2allow rules, some PR comments so we know what triggered it. There
were a few fairly liberal rules in the middle of the policy, and it's
that kind of thing we need to understand the heritage of well so they
don't compromise the overall system policy.