Project

General

Profile

Bug #7021

When SELinux is enabled, the ncf-api-venv home is owned by root

Added by Alexis MOUSSET over 5 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Assignee:
Matthieu CERDA
Category:
System integration
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

type=AVC msg=audit(1437489622.784:688): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:688): arch=c000003e syscall=92 success=no exit=-13 a0=7fff598f08e6 a1=3e5 a2=3e4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1437489622.784:689): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:689): arch=c000003e syscall=90 success=no exit=-13 a0=7fff598f08e6 a1=1c0 a2=0 a3=3f items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1437489622.784:690): pid=4835 uid=0 auid=1000 ses=5 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=997 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1437489622.784:691): avc:  denied  { create } for  pid=4835 comm="useradd" name=".bash_logout" scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1437489622.784:691): arch=c000003e syscall=2 success=no exit=-13 a0=7fa36fbb9c90 a1=241 a2=1a4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

Related issues

Related to Rudder - Bug #7019: Could not upload inventory when SELinux is enabledReleasedBenoît PECCATTE2015-07-30Actions
#1

Updated by Alexis MOUSSET over 5 years ago

# ls -ahl /var/lib/ncf-api-venv/
total 4.0K
d---------.  2 root root    6 Jul 21 14:40 .
drwxr-xr-x. 29 root root 4.0K Jul 21 14:40 ..

When SELinux is disabled:

# ls -ahl /var/lib/ncf-api-venv/
total 20K
drwx------.  2 ncf-api-venv ncf-api-venv   72 Jul 21 14:36 .
drwxr-xr-x. 29 root         root         4.0K Jul 21 14:36 ..
-rw-r--r--.  1 ncf-api-venv ncf-api-venv   18 Jun 10  2014 .bash_logout
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  193 Jun 10  2014 .bash_profile
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  231 Jun 10  2014 .bashrc
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  658 Mar 26 13:18 .zshrc
#2

Updated by Alexis MOUSSET over 5 years ago

  • Related to Bug #7019: Could not upload inventory when SELinux is enabled added
#3

Updated by Alexis MOUSSET over 5 years ago

audit2allow gives:

module rudder-ncf 1.0;

require {
    type useradd_t;
    type var_lib_t;
    class dir setattr;
}

#============= useradd_t ==============
allow useradd_t var_lib_t:dir setattr;

which allows useradd to change file attributes in /var/lib.

#4

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis MOUSSET
#5

Updated by Alexis MOUSSET over 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis MOUSSET to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/725
#6

Updated by Alexis MOUSSET over 5 years ago

  • Assignee changed from Benoît PECCATTE to Matthieu CERDA
#7

Updated by Vincent MEMBRÉ over 5 years ago

  • Status changed from Pending technical review to Pending release
#8

Updated by Alexis MOUSSET over 5 years ago

  • % Done changed from 0 to 100
#9

Updated by Matthieu CERDA over 5 years ago

#10

Updated by François ARMAND over 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.1 which was released today.

Also available in: Atom PDF