I am working with SELinux guys on some changes in puppet policies. The
policy was simplified, puppet agent policy was dropped and puppetmaster
policy was improved. The master domain is now named puppet_t instead of
puppetmaster_t.
These changes are being made in Fedora Rawhide (therefore Fedora 21+).
New update is coming soon to Rawhide, feel free to try it out.
Note this (big) changes will not be backported to RHEL6. But We will
have a RHEL6 build of the new policy so we can test it and use it in our
deployments as well.
I will ask you to test the new RHEL6 build soon. Please help us to test
new policy on various setups which will eventually end up in more
reliable and secure way of hardening puppet master daemon.
Please help me testing the new policy, the sooner we find issues with it
the better. I know that our community prefers RHEL6/CentOS6 for
production instances, therefore I asked for this build so we can test on real data.
Give it a try, run puppet/puppetca/puppetmaster/foreman for a while and
monitor AVC denials. Report them directly to me by email.
I'd appreciate any testing, on your preproduction, testing or production
environments. To put things back, you need to just downgrade
selinux-policy rpms and relabel whole system just for case.
Thanks!
LZ
···
On Mon, Mar 24, 2014 at 01:49:25PM +0100, Lukas Zapletal wrote:
> Hello,
>
> I am working with SELinux guys on some changes in puppet policies. The
> policy was simplified, puppet agent policy was dropped and puppetmaster
> policy was improved. The master domain is now named puppet_t instead of
> puppetmaster_t.
>
> https://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=master_contrib&id=e0215adfc69e5a139920189c4796bcefea5b8b8b
>
> These changes are being made in Fedora Rawhide (therefore Fedora 21+).
> New update is coming soon to Rawhide, feel free to try it out.
>
> Note this (big) changes will not be backported to RHEL6. But We will
> have a RHEL6 build of the new policy so we can test it and use it in our
> deployments as well.
>
> I will ask you to test the new RHEL6 build soon. Please help us to test
> new policy on various setups which will eventually end up in more
> reliable and secure way of hardening puppet master daemon.
>
> Thanks
>
> --
> Later,
>
> Lukas "lzap" Zapletal
> irc: lzap #theforeman
>
> --
> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> Hello,
>
> as promised, I have a RHEL6 build of refactored puppet master policy.
> Here is how to test it:
>
> wget -m -np http://lzap.fedorapeople.org/temp/selinux-puppet/
> cd lzap.fedorapeople.org/temp/selinux-puppet/
> yum -y install *rpm
> tail -f /var/log/audit/audit.log | grep AVC
>
> Please help me testing the new policy, the sooner we find issues with it
> the better. I know that our community prefers RHEL6/CentOS6 for
> production instances, therefore I asked for this build so we can test on
> real data.
>
> Give it a try, run puppet/puppetca/puppetmaster/foreman for a while and
> monitor AVC denials. Report them directly to me by email.
The main thing I notice is that the policy still has issues with
Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
more exact details around this.
> The main thing I notice is that the policy still has issues with
> Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
> more exact details around this.
We have patch for that, does it work for you?
> This commit looks backwards to me. My understanding of the change we're
> looking for is that:
>
> 1. Puppet agents become unconfined, or a very liberal domain
> 2. Puppet masters (previously puppetmaster_t) are renamed puppet_t
> 3. A /usr/sbin/start-puppet-master script can transition from
> puppet_exec_t into puppet_t, which we can use with the PassengerRuby
> setting.
> 4. /etc/init.d/puppetmaster transitions to puppet_t
Yes
> While I appreciate the commit is against rawhide, it all looks like
> Puppet agent policy that is applied to puppet_t (the master).
Yeah, we need to clear those out.
> The commit seems to have removed all of the Puppet master policy and
> instead, we now have a Puppet master with all the rights of the agent.
Well, these were "copies" and the patch really looks like these were
removed, but if you look on the file itself, you should see them there.
Those were duplicates.
I can see that puppet (agent) is now ending in puppet_t which is wrong.
We only want puppet agent there via the wrapper. We need to fix that.
Rename looks correct to me, I mean it is via "typealias".
Let me communicate that with SELinux guys and improve the next build.
>> The main thing I notice is that the policy still has issues with
>> Passenger 4 calling 'ps', using sysfs etc. I'll try and gather some
>> more exact details around this.
>
> We have patch for that, does it work for you?
We have it in foreman-selinux, which works, but I was testing the base
OS policy only.
>> This commit looks backwards to me. My understanding of the change we're
>> looking for is that:
>>
>> 1. Puppet agents become unconfined, or a very liberal domain
>> 2. Puppet masters (previously puppetmaster_t) are renamed puppet_t
>> 3. A /usr/sbin/start-puppet-master script can transition from
>> puppet_exec_t into puppet_t, which we can use with the PassengerRuby
>> setting.
>> 4. /etc/init.d/puppetmaster transitions to puppet_t
>
> Yes
>
>> While I appreciate the commit is against rawhide, it all looks like
>> Puppet agent policy that is applied to puppet_t (the master).
>
> Yeah, we need to clear those out.
>
>> The commit seems to have removed all of the Puppet master policy and
>> instead, we now have a Puppet master with all the rights of the agent.
>
> Well, these were "copies" and the patch really looks like these were
> removed, but if you look on the file itself, you should see them there.
> Those were duplicates.
The "Puppet personal policy" appears to be an agent policy, as it's
permitting access to everything from the RPM DB to SELinux boolean
setting, to managing etc_t.
> I can see that puppet (agent) is now ending in puppet_t which is wrong.
> We only want puppet agent there via the wrapper. We need to fix that.
s/puppet agent/puppet master/
I don't think /usr/bin/puppet should be labelled as puppet_exec_t, only
the wrapper.
> > I can see that puppet (agent) is now ending in puppet_t which is wrong.
> > We only want puppet agent there via the wrapper. We need to fix that.
>
> s/puppet agent/puppet master/
>
> I don't think /usr/bin/puppet should be labelled as puppet_exec_t, only
> the wrapper.