Upcomping changes in Fedora rawhide selinux policy

Hello,

I am working with SELinux guys on some changes in puppet policies. The
policy was simplified, puppet agent policy was dropped and puppetmaster
policy was improved. The master domain is now named puppet_t instead of
puppetmaster_t.

https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b

These changes are being made in Fedora Rawhide (therefore Fedora 21+).
New update is coming soon to Rawhide, feel free to try it out.

Note this (big) changes will not be backported to RHEL6. But We will
have a RHEL6 build of the new policy so we can test it and use it in our
deployments as well.

I will ask you to test the new RHEL6 build soon. Please help us to test
new policy on various setups which will eventually end up in more
reliable and secure way of hardening puppet master daemon.

Thanks

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

Hello,

as promised, I have a RHEL6 build of refactored puppet master policy.
Here is how to test it:

wget -m -np http://lzap.fedorapeople.org/temp/selinux-puppet/
cd lzap.fedorapeople.org/temp/selinux-puppet/
yum -y install *rpm
tail -f /var/log/audit/audit.log | grep AVC

Please help me testing the new policy, the sooner we find issues with it
the better. I know that our community prefers RHEL6/CentOS6 for
production instances, therefore I asked for this build so we can test on
real data.

Give it a try, run puppet/puppetca/puppetmaster/foreman for a while and
monitor AVC denials. Report them directly to me by email.

I'd appreciate any testing, on your preproduction, testing or production
environments. To put things back, you need to just downgrade
selinux-policy rpms and relabel whole system just for case.

Thanks!

LZ

··· On Mon, Mar 24, 2014 at 01:49:25PM +0100, Lukas Zapletal wrote: > Hello, > > I am working with SELinux guys on some changes in puppet policies. The > policy was simplified, puppet agent policy was dropped and puppetmaster > policy was improved. The master domain is now named puppet_t instead of > puppetmaster_t. > > https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b > > These changes are being made in Fedora Rawhide (therefore Fedora 21+). > New update is coming soon to Rawhide, feel free to try it out. > > Note this (big) changes will not be backported to RHEL6. But We will > have a RHEL6 build of the new policy so we can test it and use it in our > deployments as well. > > I will ask you to test the new RHEL6 build soon. Please help us to test > new policy on various setups which will eventually end up in more > reliable and secure way of hardening puppet master daemon. > > Thanks > > -- > Later, > > Lukas "lzap" Zapletal > irc: lzap #theforeman > > -- > You received this message because you are subscribed to the Google Groups "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.


Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

> Hello,
>
> as promised, I have a RHEL6 build of refactored puppet master policy.
> Here is how to test it:
>
> wget -m -np http://lzap.fedorapeople.org/temp/selinux-puppet/
> cd lzap.fedorapeople.org/temp/selinux-puppet/
> yum -y install *rpm
> tail -f /var/log/audit/audit.log | grep AVC
>
> Please help me testing the new policy, the sooner we find issues with it
> the better. I know that our community prefers RHEL6/CentOS6 for
> production instances, therefore I asked for this build so we can test on
> real data.
>
> Give it a try, run puppet/puppetca/puppetmaster/foreman for a while and
> monitor AVC denials. Report them directly to me by email.

The main thing I notice is that the policy still has issues with
Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
more exact details around this.

>> I am working with SELinux guys on some changes in puppet policies. The
>> policy was simplified, puppet agent policy was dropped and puppetmaster
>> policy was improved. The master domain is now named puppet_t instead of
>> puppetmaster_t.
>>
>> https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b

This commit looks backwards to me. My understanding of the change we're
looking for is that:

  1. Puppet agents become unconfined, or a very liberal domain
  2. Puppet masters (previously puppetmaster_t) are renamed puppet_t
  3. A /usr/sbin/start-puppet-master script can transition from
    puppet_exec_t into puppet_t, which we can use with the PassengerRuby
    setting.
  4. /etc/init.d/puppetmaster transitions to puppet_t

While I appreciate the commit is against rawhide, it all looks like
Puppet agent policy that is applied to puppet_t (the master).

https://git.fedorahosted.org/cgit/selinux-policy.git/tree/puppet.te?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b#n109

The commit seems to have removed all of the Puppet master policy and
instead, we now have a Puppet master with all the rights of the agent.

https://git.fedorahosted.org/cgit/selinux-policy.git/diff/puppet.te?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b
(bottom of this page, "Puppet master personal policy")

I'll continue to look at this next week.

Cheers,

··· On 26/03/14 15:36, Lukas Zapletal wrote:


Dominic Cleal
Red Hat Engineering

> The main thing I notice is that the policy still has issues with
> Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
> more exact details around this.

We have patch for that, does it work for you?

> This commit looks backwards to me. My understanding of the change we're
> looking for is that:
>
> 1. Puppet agents become unconfined, or a very liberal domain
> 2. Puppet masters (previously puppetmaster_t) are renamed puppet_t
> 3. A /usr/sbin/start-puppet-master script can transition from
> puppet_exec_t into puppet_t, which we can use with the PassengerRuby
> setting.
> 4. /etc/init.d/puppetmaster transitions to puppet_t

Yes

> While I appreciate the commit is against rawhide, it all looks like
> Puppet agent policy that is applied to puppet_t (the master).

Yeah, we need to clear those out.

> The commit seems to have removed all of the Puppet master policy and
> instead, we now have a Puppet master with all the rights of the agent.

Well, these were "copies" and the patch really looks like these were
removed, but if you look on the file itself, you should see them there.
Those were duplicates.

I can see that puppet (agent) is now ending in puppet_t which is wrong.
We only want puppet agent there via the wrapper. We need to fix that.

Rename looks correct to me, I mean it is via "typealias".

Let me communicate that with SELinux guys and improve the next build.

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

>> The main thing I notice is that the policy still has issues with
>> Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
>> more exact details around this.
>
> We have patch for that, does it work for you?

We have it in foreman-selinux, which works, but I was testing the base
OS policy only.

>> This commit looks backwards to me. My understanding of the change we're
>> looking for is that:
>>
>> 1. Puppet agents become unconfined, or a very liberal domain
>> 2. Puppet masters (previously puppetmaster_t) are renamed puppet_t
>> 3. A /usr/sbin/start-puppet-master script can transition from
>> puppet_exec_t into puppet_t, which we can use with the PassengerRuby
>> setting.
>> 4. /etc/init.d/puppetmaster transitions to puppet_t
>
> Yes
>
>> While I appreciate the commit is against rawhide, it all looks like
>> Puppet agent policy that is applied to puppet_t (the master).
>
> Yeah, we need to clear those out.
>
>> The commit seems to have removed all of the Puppet master policy and
>> instead, we now have a Puppet master with all the rights of the agent.
>
> Well, these were "copies" and the patch really looks like these were
> removed, but if you look on the file itself, you should see them there.
> Those were duplicates.

I don't see it:
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/puppet.te?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b

The "Puppet personal policy" appears to be an agent policy, as it's
permitting access to everything from the RPM DB to SELinux boolean
setting, to managing etc_t.

> I can see that puppet (agent) is now ending in puppet_t which is wrong.
> We only want puppet agent there via the wrapper. We need to fix that.

s/puppet agent/puppet master/

I don't think /usr/bin/puppet should be labelled as puppet_exec_t, only
the wrapper.

··· On 01/04/14 13:01, Lukas Zapletal wrote:


Dominic Cleal
Red Hat Engineering

> We have it in foreman-selinux, which works, but I was testing the base
> OS policy only.

Yeah, passenger is a different story.

> I don't see it:
> https://git.fedorahosted.org/cgit/selinux-policy.git/tree/puppet.te?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b
>
> The "Puppet personal policy" appears to be an agent policy, as it's
> permitting access to everything from the RPM DB to SELinux boolean
> setting, to managing etc_t.

Hmmm right, I will talk to them.

> > I can see that puppet (agent) is now ending in puppet_t which is wrong.
> > We only want puppet agent there via the wrapper. We need to fix that.
>
> s/puppet agent/puppet master/
>
> I don't think /usr/bin/puppet should be labelled as puppet_exec_t, only
> the wrapper.

Yes.

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman