Project

General

Profile

Actions

User story #2882

closed

User story #6589: Improve Rudder security in 3.1: Inventory signature and security, SELinux compliance

Rudder should be SELinux compliant

Added by Nicolas PERRON about 12 years ago. Updated over 9 years ago.

Status:
Released
Priority:
5 (lowest)
Category:
Packaging
Target version:
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

On CentOS/RHEL system, SELinux is activated by default and prevent Rudder to be used with error about Apache proxy like #2839 . A solution seem to use this command:

setsebool -P httpd_can_network_connect=1


Subtasks 10 (0 open10 closed)

Question #6467: What are the webdav directories used for ?ResolvedBenoît PECCATTE2015-04-07Actions
Architecture #6517: Authorize on SELinux directories used for webdav on the serverReleasedBenoît PECCATTE2015-04-17Actions
Bug #6556: rudder-webapp is using a wrong file in spec file for SELinux policyReleasedFrançois ARMAND2015-05-05Actions
Bug #6597: Rudder webapp postinst are not validReleasedBenoît PECCATTE2015-05-15Actions
Bug #6598: rudder selinux module is not workingReleasedBenoît PECCATTE2015-05-15Actions
Bug #6652: rudder-webapp SELinux-related BuildRequires are neither advertised nor usable on all systemsReleasedBenoît PECCATTE2015-05-21Actions
User story #6672: Remove packaging of rudder-webapp.pp on debianReleasedMatthieu CERDA2015-05-26Actions
Bug #6679: The SELinux compilation in rudder-webapp ties to use the wrong directory as a baseReleasedBenoît PECCATTE2015-05-28Actions
Bug #6681: rudder-webapp spec tries to copy rudder-webapp.pp from wrong directoryReleasedMatthieu CERDA2015-05-28Actions
Bug #6682: rudder-webapp spec tries to build rudder-webapp.pp even if he can'tReleasedMatthieu CERDA2015-05-29Actions

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #2839: Rudder 2.4.0~beta3 Webapp interface is still blocked on "Rudder loading" page on CentOS 6 64bitsReleasedNicolas PERRON2012-08-23Actions
Actions #1

Updated by Matthieu CERDA about 12 years ago

To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).

Actions #2

Updated by Jonathan CLARKE about 12 years ago

Matthieu CERDA wrote:

To be more precise, this command enables apache to initiate connections to the outsite world. By default, it can not in SELinux enforce mode (default), which prevents it from connecting to the Rudder application server (Jetty).

That's a bit weird, since jetty is not in the outside world, but on localhost. Is there not an intermediate restriction we could use instead?

Actions #3

Updated by Matthieu CERDA about 12 years ago

Well, here is what the man page says, from httpd_selinux(8):

SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from breaking into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_connect boolean on.

setsebool -P httpd_can_network_connect 1

But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".

Actions #4

Updated by Jonathan CLARKE about 12 years ago

Matthieu CERDA wrote:

Well, here is what the man page says, from httpd_selinux(8):

[...]

But seeing the naming conventions used by this booleans, I suppose it just prevents apache from using the connect() function. Thus, even local connections fail. But sadly it looks there is nothing more "fine grained".

You'll find an example here that allows to do a more fine grained approach:
http://serverfault.com/questions/329355/issues-with-proxypass-and-proxypassreverse-when-proxying-to-localhost-and-a-diff

Actions #5

Updated by Jonathan CLARKE about 12 years ago

  • Target version changed from 2.4.0~rc1 to 2.4.0~rc2
Actions #6

Updated by Jonathan CLARKE about 12 years ago

  • Priority changed from 2 to 4
Actions #7

Updated by Nicolas PERRON about 12 years ago

  • Target version changed from 2.4.0~rc2 to 2.4.0~rc1
Actions #8

Updated by Nicolas PERRON about 12 years ago

  • Target version changed from 2.4.0~rc1 to 2.4.0~rc2

This ticket have to be postponed to 2.4.0~rc2

Actions #9

Updated by Nicolas PERRON almost 12 years ago

  • Target version changed from 2.4.0~rc2 to 2.4.0
Actions #10

Updated by Nicolas PERRON almost 12 years ago

  • Target version changed from 2.4.0 to 61
Actions #11

Updated by François ARMAND almost 12 years ago

  • Target version changed from 61 to 2.4.2
Actions #12

Updated by Nicolas PERRON almost 12 years ago

  • Target version changed from 2.4.2 to 2.4.3
Actions #13

Updated by Matthieu CERDA almost 12 years ago

  • Target version changed from 2.4.3 to 2.4.4
Actions #14

Updated by Nicolas PERRON almost 12 years ago

  • Project changed from Rudder to 34
  • Category deleted (11)
Actions #15

Updated by Nicolas PERRON over 11 years ago

  • Target version changed from 2.4.4 to 2.4.5
Actions #16

Updated by Nicolas PERRON over 11 years ago

  • Target version changed from 2.4.5 to 2.4.6
Actions #17

Updated by Nicolas PERRON over 11 years ago

  • Target version changed from 2.4.6 to 2.4.7
Actions #18

Updated by Nicolas PERRON over 11 years ago

  • Assignee deleted (Nicolas PERRON)
  • Target version changed from 2.4.7 to 2.7.0~rc1

The priority is low and I've not working on this issue then I should not have been assigned on it. Furthermore, it should be made on branch 2.7 or 2.8, not 2.4.

Actions #19

Updated by Nicolas PERRON over 11 years ago

  • Status changed from New to 8
  • Target version changed from 2.7.0~rc1 to Ideas (not version specific)
Actions #20

Updated by Jean Remond about 11 years ago

After trying to install rudder 2.8.0rc2 on Centos 6.4 SELinux is blocking access on local port 8080 as mentionned in this bug.

After using audit2allow (from policycoreutils-python), the policy should be something like :
module httpd-rudder 1.0;

require {
type httpd_t;
type http_cache_port_t;
class tcp_socket name_connect;
}

#============= httpd_t ==============
allow httpd_t http_cache_port_t:tcp_socket name_connect;

Some links I used :
http://wiki.centos.org/HowTos/SELinux
http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-port-contexts-and-handling-access-alerts/2463/

To add the policy to the package, this may be useful :
http://selinuxproject.org/page/RPM#Adding_Policy_to_an_RPM
http://fedoraproject.org/wiki/SELinux_Policy_Modules_Packaging_Draft
http://unix.stackexchange.com/questions/16458/what-is-the-proper-way-to-set-selinux-context-in-an-rpm-spec

Actions #21

Updated by Matthieu CERDA over 10 years ago

  • Priority changed from 4 to 3
Actions #22

Updated by Benoît PECCATTE over 9 years ago

  • Project changed from 34 to Rudder
  • Category set to Packaging
Actions #23

Updated by Benoît PECCATTE over 9 years ago

  • Parent task set to #6363
Actions #24

Updated by Benoît PECCATTE over 9 years ago

Slightly modified and commented policy.
But still missing the webdav part

module rudder 1.0;

require {
        type httpd_t;
        type var_t;
        type http_cache_port_t;
        class tcp_socket name_connect;
        class file getattr;
}

#============= httpd_t ==============

# Allow httpd daemon to access 8080:tcp via connect method
allow httpd_t http_cache_port_t:tcp_socket name_connect;

Actions #25

Updated by Benoît PECCATTE over 9 years ago

  • Status changed from 8 to New
Actions #26

Updated by François ARMAND over 9 years ago

  • Assignee set to Benoît PECCATTE
  • Target version changed from Ideas (not version specific) to 3.1.0~beta1
Actions #27

Updated by Matthieu CERDA over 9 years ago

  • Status changed from New to In progress
  • Assignee changed from Benoît PECCATTE to Matthieu CERDA

Let's package this policy, and then load it during post installation if not loaded yet:

if semodule -l => no match
  then semodule -i rudder-jetty.pp
fi

Actions #28

Updated by Matthieu CERDA over 9 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Matthieu CERDA to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/643
Actions #29

Updated by Matthieu CERDA over 9 years ago

  • Status changed from Pending technical review to Pending release
Actions #31

Updated by Benoît PECCATTE over 9 years ago

  • Parent task changed from #6363 to #6589
Actions #32

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.0~beta1 which were released today.

Actions

Also available in: Atom PDF