Bug #7021: When SELinux is enabled, the ncf-api-venv home is owned by root - Rudder - Issue Tracker

Actions

Copy link

Bug #7021

closed

When SELinux is enabled, the ncf-api-venv home is owned by root

Added by Alexis Mousset over 9 years ago. Updated over 9 years ago.

Status:

Released

Priority:

N/A

Assignee:

Matthieu CERDA

Category:

System integration

Target version:

3.1.1

Pull Request:

https://github.com/Normation/rudder-p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

type=AVC msg=audit(1437489622.784:688): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:688): arch=c000003e syscall=92 success=no exit=-13 a0=7fff598f08e6 a1=3e5 a2=3e4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1437489622.784:689): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:689): arch=c000003e syscall=90 success=no exit=-13 a0=7fff598f08e6 a1=1c0 a2=0 a3=3f items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1437489622.784:690): pid=4835 uid=0 auid=1000 ses=5 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=997 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1437489622.784:691): avc:  denied  { create } for  pid=4835 comm="useradd" name=".bash_logout" scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1437489622.784:691): arch=c000003e syscall=2 success=no exit=-13 a0=7fa36fbb9c90 a1=241 a2=1a4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Alexis Mousset over 9 years ago

# ls -ahl /var/lib/ncf-api-venv/
total 4.0K
d---------.  2 root root    6 Jul 21 14:40 .
drwxr-xr-x. 29 root root 4.0K Jul 21 14:40 ..

When SELinux is disabled:

# ls -ahl /var/lib/ncf-api-venv/
total 20K
drwx------.  2 ncf-api-venv ncf-api-venv   72 Jul 21 14:36 .
drwxr-xr-x. 29 root         root         4.0K Jul 21 14:36 ..
-rw-r--r--.  1 ncf-api-venv ncf-api-venv   18 Jun 10  2014 .bash_logout
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  193 Jun 10  2014 .bash_profile
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  231 Jun 10  2014 .bashrc
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  658 Mar 26 13:18 .zshrc

Actions

Copy link

Updated by Alexis Mousset over 9 years ago

Related to Bug #7019: Could not upload inventory when SELinux is enabled added

Actions

Copy link

Updated by Alexis Mousset over 9 years ago

audit2allow gives:

module rudder-ncf 1.0;

require {
    type useradd_t;
    type var_lib_t;
    class dir setattr;
}

#============= useradd_t ==============
allow useradd_t var_lib_t:dir setattr;

which allows useradd to change file attributes in /var/lib.

Actions

Copy link