User story #2882
closedUser story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance
Rudder should be SELinux compliant
Description
On CentOS/RHEL system, SELinux is activated by default and prevent Rudder to be used with error about Apache proxy like #2839 . A solution seem to use this command:
setsebool -P httpd_can_network_connect=1
Updated by Matthieu CERDA over 12 years ago
To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).
Updated by Jonathan CLARKE over 12 years ago
Matthieu CERDA wrote:
To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).
That's a bit weird, since jetty is not in the outside world, but on localhost. Is there not an intermediate restriction we could use instead?
Updated by Matthieu CERDA over 12 years ago
Well, here is what the man page says, from httpd_selinux(8):
SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on. setsebool -P httpd_can_network_connect 1
But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".
Updated by Jonathan CLARKE over 12 years ago
Matthieu CERDA wrote:
Well, here is what the man page says, from httpd_selinux(8):
[...]
But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".
You'll find an example here that allows to do a more fine grained approach:
http://serverfault.com/questions/329355/issues-with-proxypass-and-proxypassreverse-when-proxying-to-localhost-and-a-diff
Updated by Jonathan CLARKE over 12 years ago
- Target version changed from 2.4.0~rc1 to 2.4.0~rc2
Updated by Nicolas PERRON over 12 years ago
- Target version changed from 2.4.0~rc2 to 2.4.0~rc1
Updated by Nicolas PERRON about 12 years ago
- Target version changed from 2.4.0~rc1 to 2.4.0~rc2
This ticket have to be postponed to 2.4.0~rc2
Updated by Nicolas PERRON about 12 years ago
- Target version changed from 2.4.0~rc2 to 2.4.0
Updated by Nicolas PERRON about 12 years ago
- Target version changed from 2.4.0 to 61
Updated by François ARMAND about 12 years ago
- Target version changed from 61 to 2.4.2
Updated by Nicolas PERRON almost 12 years ago
- Target version changed from 2.4.2 to 2.4.3
Updated by Matthieu CERDA almost 12 years ago
- Target version changed from 2.4.3 to 2.4.4
Updated by Nicolas PERRON almost 12 years ago
- Project changed from Rudder to 34
- Category deleted (
11)
Updated by Nicolas PERRON almost 12 years ago
- Target version changed from 2.4.4 to 2.4.5
Updated by Nicolas PERRON over 11 years ago
- Target version changed from 2.4.5 to 2.4.6
Updated by Nicolas PERRON over 11 years ago
- Target version changed from 2.4.6 to 2.4.7
Updated by Nicolas PERRON over 11 years ago
- Assignee deleted (
Nicolas PERRON) - Target version changed from 2.4.7 to 2.7.0~rc1
The priority is low and I've not working on this issue then I should not have been assigned on it. Furthermore, it should be made on branch 2.7 or 2.8, not 2.4.
Updated by Nicolas PERRON over 11 years ago
- Status changed from New to 8
- Target version changed from 2.7.0~rc1 to Ideas (not version specific)
Updated by Jean Remond about 11 years ago
After trying to install rudder 2.8.0rc2 on Centos 6.4 SELinux is blocking access on local port 8080 as mentionned in this bug.
After using audit2allow (from policycoreutils-python), the policy should be something like :
module httpd-rudder 1.0;
require {
type httpd_t;
type http_cache_port_t;
class tcp_socket name_connect;
}
#============= httpd_t ==============
allow httpd_t http_cache_port_t:tcp_socket name_connect;
Some links I used :
http://wiki.centos.org/HowTos/SELinux
http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-port-contexts-and-handling-access-alerts/2463/
To add the policy to the package, this may be useful :
http://selinuxproject.org/page/RPM#Adding_Policy_to_an_RPM
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
http://unix.stackexchange.com/questions/16458/what-is-the-proper-way-to-set-selinux-context-in-an-rpm-spec
Updated by Benoît PECCATTE almost 10 years ago
- Project changed from 34 to Rudder
- Category set to Packaging
Updated by Benoît PECCATTE over 9 years ago
Slightly modified and commented policy.
But still missing the webdav part
module rudder 1.0; require { type httpd_t; type var_t; type http_cache_port_t; class tcp_socket name_connect; class file getattr; } #============= httpd_t ============== # Allow httpd daemon to access 8080:tcp via connect method allow httpd_t http_cache_port_t:tcp_socket name_connect;
Updated by François ARMAND over 9 years ago
- Assignee set to Benoît PECCATTE
- Target version changed from Ideas (not version specific) to 3.1.0~beta1
Updated by Matthieu CERDA over 9 years ago
- Status changed from New to In progress
- Assignee changed from Benoît PECCATTE to Matthieu CERDA
Let's package this policy, and then load it during post installation if not loaded yet:
if semodule -l => no match then semodule -i rudder-jetty.pp fi
Updated by Matthieu CERDA over 9 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Matthieu CERDA to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-packages/pull/643
Updated by Matthieu CERDA over 9 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|e09bdfa5ce68ff1e5b7ddbc301b27ce13294c837.
Updated by Benoît PECCATTE over 9 years ago
Applied in changeset rudder-packages|55569f4326f78b6d5a40a6cbb1ccdf9cc7a13a99.
Updated by Benoît PECCATTE over 9 years ago
- Parent task changed from #6363 to #6589
Updated by Vincent MEMBRÉ over 9 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.0~beta1 which were released today.
- Announcement 3.1
- Changelog 3.1
- Download information: https://www.rudder-project.org/site/get-rudder/downloads/