Project

General

Profile

Bug #7019

Could not upload inventory when SELinux is enabled

Added by Alexis MOUSSET over 5 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Category:
System integration
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

Rudder 3.1.0, Centos 7:

2015-07-21T11:54:47+0000    error: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Finished command related to promiser '/var/rudder/inventories' -- an error occurred, returned 22
2015-07-21T11:54:47+0000    error: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Transformer '/var/rudder/inventories/server-root.ocs' => '/usr/bin/curl -k -f -s --proxy '' --user rudder:rudder -T /var/rudder/inventories/server-root.ocs https://127.0.0.1/inventory-updates/' returned error
2015-07-21T11:54:47+0000    error: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Finished command related to promiser '/var/rudder/inventories' -- an error occurred, returned 22
2015-07-21T11:54:47+0000    error: /default/doInventory/methods/'any'/default/sendInventory/files/'/var/rudder/inventories'[0]: Transformer '/var/rudder/inventories/server-root.ocs.sign' => '/usr/bin/curl -k -f -s --proxy '' --user rudder:rudder -T /var/rudder/inventories/server-root.ocs.sign https://127.0.0.1/inventory-updates/' returned error

The request returns a 403, and works after a setenforce 0.


Subtasks

Bug #7051: rudder-webapp.fc is not copied in the builddirReleasedMatthieu CERDA2015-07-30Actions
Bug #7076: Broken SELinux packagingReleasedMatthieu CERDA2015-08-07Actions
Bug #7083: Broken SELinux packaging in ncf-api-virtualenvRejectedMatthieu CERDA2015-08-07Actions
Bug #7088: Unable to build ncf-api-virtualenv since rudderdir does not exists in spec ReleasedMatthieu CERDA2015-08-10Actions
Bug #7089: ncf-api-virtualenv package does not create its own 'share/selinux' directory ReleasedMatthieu CERDA2015-08-10Actions
Bug #7090: Wrong buidl directory when building selinux policy for ncf-api-virtualenvReleasedMatthieu CERDA2015-08-10Actions

Related issues

Related to Rudder - Bug #7021: When SELinux is enabled, the ncf-api-venv home is owned by rootReleasedMatthieu CERDA2015-07-21Actions
#1

Updated by Alexis MOUSSET over 5 years ago

  • Subject changed from Could not upload inventory when SELinux is enbaled to Could not upload inventory when SELinux is enabled
#2

Updated by Alexis MOUSSET over 5 years ago

in audit.log:

type=AVC msg=audit(1437480952.366:1982): avc:  denied  { write } for  pid=15973 comm="httpd" name="accepted-nodes-updates" dev="dm-1" ino=68976571 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1437480952.579:1983): avc:  denied  { write } for  pid=3189 comm="httpd" name="accepted-nodes-updates" dev="dm-1" ino=68976571 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
#3

Updated by Alexis MOUSSET over 5 years ago

  • Related to Bug #7021: When SELinux is enabled, the ncf-api-venv home is owned by root added
#4

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from New to In progress

Adding the httpd_sys_rw_content_t context to the directories receiving inventories in /var/rudder/inventories fixes the issue.

#5

Updated by Alexis MOUSSET over 5 years ago

The rudder-webapp package contains:

chcon -R --type=httpd_sys_content_t /var/rudder/inventories/incoming
chcon -R --type=httpd_sys_content_t /var/rudder/inventories/accepted-nodes-updates

but httpd_sys_content_t is read-only, and chcon changes are temporary.

The is an example of file context packaging on Fedora wiki.

#6

Updated by Alexis MOUSSET over 5 years ago

  • Assignee set to Alexis MOUSSET
#7

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from In progress to Discussion
  • Assignee changed from Alexis MOUSSET to Matthieu CERDA

Using semanage would add a new dependency (policycoreutils-python). We could also split the selinux-related code into a subpackage to keep it optional, or keep chcon (which does not survive a file system relabel or restorecon).

Matthieu, what do you think is the best option?

#8

Updated by Matthieu CERDA over 5 years ago

  • Assignee changed from Matthieu CERDA to Alexis MOUSSET
I would:
  • fix the chcon first, to get an immediate fix
  • see if we can adjust rudder-packages/rudder-webapp/SOURCES/rudder-webapp.te to declare this directory permissions, and just trigger a restorecon in the package postinst to automatically apply the right perms on it :)

Does it look like a good idea to you ?

#9

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from Discussion to In progress

I found it is also possible to add a .fc file defining file contexts, and it is clearly the right way to do it.

#10

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis MOUSSET to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/719
#11

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
#13

Updated by François ARMAND over 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.1 which was released today.

Also available in: Atom PDF