Help us testing foreman proxy SELinux policy in 1.8 release

Development
1

Hello,

in the Foreman 1.8 release (or nightly builds) we ship SELinux policy
for smart-proxy. It is not installed by default as we would like to test
it more before enabling it for everyone.

If you want to help us testing the policy, feel free to install and
enable the policy by installing a package and restarting the proxy:

yum install foreman-proxy-selinux

service foreman-proxy restart

The proxy process should run in its own domain from that moment:

ps axuZ | grep proxy

system_u:system_r:foreman_proxy_t:s0 foreman+ …

The policy itself is modular, just like the proxy itself. By default all
"modules" (or "features") are turned on. You can fine-tune this setting
with SELinux booleans:

semanage boolean -l | grep foreman_proxy

foreman_proxy_manage_puppetca (on , on) Allow foreman to proxy manage puppetca
foreman_proxy_use_sudo (on , on) Allow foreman to proxy use sudo
foreman_proxy_manage_dhcp_generic (on , on) Allow foreman to proxy manage dhcp generic
foreman_proxy_manage_puppet (on , on) Allow foreman to proxy manage puppet
foreman_proxy_manage_tftp (on , on) Allow foreman to proxy manage tftp
foreman_proxy_manage_dhcp_isc (on , on) Allow foreman to proxy manage dhcp isc
foreman_proxy_manage_dns_nsupdate (on , on) Allow foreman to proxy manage dns nsupdate

To disable the policy, just uninstall the package and restart the daemon
again. If you encounter problems, you can turn the particular process
into permissive easily and keep it running to collect denials which you
can send to us:

semanage permissive -a foreman_proxy_t

To enable or disable proxy policy without uninstalling the package, you
can use:

foreman-proxy-selinux-enable

foreman-proxy-selinux-disable

Please report all issues in our tracker:

http://projects.theforeman.org/projects/selinux/issues/new

Remember to report denials (ausearch -m avc) and describe all proxy
configuration you made (attach /etc/foreman-proxy). You can use
foreman-debug tool to upload a debug tarball and attach its name to the
ticket which is the best approach.

Thank you for all your valuable input. Our goal is to create rock solid
and secure platform together!

··· -- Later, Lukas #lzap Zapletal
2

I can open a new issue, but I think it might be beneficial to describe my
configuration a little before: Our puppet/foreman configuration is such
that the Puppetmaster and Foreman each run on their own servers. We are
only using foreman-proxy to manage the puppetmaster and puppetca, since
we're not using Foreman for provisioning (unattended: false).

On the puppetmasters, selinux was preventing passenger from functioning
properly. Because of this, up until Foreman 1.8, I have been re-packaging
the foreman-selinux package to remove the foreman dependency (rebranding it
foreman-selinux-nodeps) and installing that on my foreman-proxy servers.
With the introduction of a foreman-proxy-selinux package, I was hoping that
I would no longer need to repackage the foreman-selinux package.

Unfortunately, the "allow passenger to run puppetmaster" and similar
directives out of the foreman-selinux package did not go into
foreman-proxy-selinux. Instead of continuing the practice of rebranding the
-nodeps package, I pulled out the relevant directives from foreman-selinux
and created a fork that I install along-side the foreman-proxy-selinux
module. The fork was also useful because due to performance reasons, we now
run foreman-proxy under passenger, rather than webrick.

I've attached my .fc and .te files that make up my
foreman-proxy-selinux-fork module. You'll note that it's mostly a
copy/paste from the foreman-selinux policy, with a couple notable
exceptions:
I renamed all the foreman_ types to foreman_proxy_
I added "passenger_run_foreman_proxy"
I created a foreman_proxy_var_cache_t type
I added a "iptables_exec(passenger_t) directive

Using both foreman-proxy-selinux and foreman-proxy-selinux-fork, I'm able
to run everything with no denials on 1.8.1. I have not upgraded production
yet, but it's going well on my test instances so far.

foreman-proxy-selinux-fork.fc (912 Bytes)

foreman-proxy-selinux-fork.te (3.49 KB)

··· On Thursday, May 28, 2015 at 9:04:44 AM UTC-4, Lukas Zapletal wrote: > > Hello, > > in the Foreman 1.8 release (or nightly builds) we ship SELinux policy > for smart-proxy. It is not installed by default as we would like to test > it more before enabling it for everyone. > > If you want to help us testing the policy, feel free to install and > enable the policy by installing a package and restarting the proxy: > > # yum install foreman-proxy-selinux > # service foreman-proxy restart > > The proxy process should run in its own domain from that moment: > > # ps axuZ | grep proxy > system_u:system_r:foreman_proxy_t:s0 foreman+ ... > > The policy itself is modular, just like the proxy itself. By default all > "modules" (or "features") are turned on. You can fine-tune this setting > with SELinux booleans: > > # semanage boolean -l | grep foreman_proxy > foreman_proxy_manage_puppetca (on , on) Allow foreman to proxy > manage puppetca > foreman_proxy_use_sudo (on , on) Allow foreman to proxy use > sudo > foreman_proxy_manage_dhcp_generic (on , on) Allow foreman to proxy > manage dhcp generic > foreman_proxy_manage_puppet (on , on) Allow foreman to proxy > manage puppet > foreman_proxy_manage_tftp (on , on) Allow foreman to proxy > manage tftp > foreman_proxy_manage_dhcp_isc (on , on) Allow foreman to proxy > manage dhcp isc > foreman_proxy_manage_dns_nsupdate (on , on) Allow foreman to proxy > manage dns nsupdate > > To disable the policy, just uninstall the package and restart the daemon > again. If you encounter problems, you can turn the particular process > into permissive easily and keep it running to collect denials which you > can send to us: > > # semanage permissive -a foreman_proxy_t > > To enable or disable proxy policy without uninstalling the package, you > can use: > > # foreman-proxy-selinux-enable > # foreman-proxy-selinux-disable > > Please report all issues in our tracker: > > http://projects.theforeman.org/projects/selinux/issues/new > > Remember to report denials (ausearch -m avc) and describe all proxy > configuration you made (attach /etc/foreman-proxy). You can use > foreman-debug tool to upload a debug tarball and attach its name to the > ticket which is the best approach. > > Thank you for all your valuable input. Our goal is to create rock solid > and secure platform together! > > -- > Later, > Lukas #lzap Zapletal >
3

Hello,

if I understand this correctly, moving puppetmaster-passenger rules from
foreman-selinux to foreman-proxy-selinux would do the trick for you? In
that case, please go ahead with PR for this.

The only drawback with this is that by default our installer configures
PM with passenger but we still do not install/enable
foreman-proxy-selinux package. We can move it only if we do this by
default.

··· -- Later, Lukas #lzap Zapletal