Bug #19764: Incorrect permissions on relay certificates - Rudder - Issue Tracker

Bug #19764

Updated by Alexis Mousset over 3 years ago

RHEL8: 
 <pre> 
 drwxr-x---. 2 root rudder system_u:object_r:var_t:s0                          140 Aug 12 09:08 . 
 drwxr-xr-x. 4 root root     system_u:object_r:var_t:s0                           30 Aug 12 08:57 .. 
 -rw-r--r--. 1 root root     system_u:object_r:var_t:s0                            0 Aug 12 08:35 .placeholder 
 -rw-rw----. 1 root rudder system_u:object_r:rudder_relayd_var_lib_t:s0       2.0K Aug 12 09:08 allnodescerts.pem 
 -rw-r-----. 1 root root     unconfined_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 08:57 nodescerts.pem 
 lrwxrwxrwx. 1 root root     unconfined_u:object_r:var_t:s0                        8 Aug 12 09:03 policy_server.pem -> root.pem 
 -rw-------. 1 root root     unconfined_u:object_r:var_t:s0                       53 Aug 12 09:01 policy_server_hash 
 -rw-------. 1 root root     unconfined_u:object_r:var_t:s0                     2.0K Aug 12 09:03 root.pem 
 </pre> 

 Debian 10: 
 <pre> 
 drwxr-x--- 2 root rudder 4.0K Aug 12 10:00 . 
 drwxr-xr-x 4 root root     4.0K Aug 12 09:51 .. 
 -rw-r--r-- 1 root root        0 Nov 22    2017 .placeholder 
 -rw-rw---- 1 root rudder 2.0K Aug 12 09:55 allnodescerts.pem 
 -rw-r----- 1 root root     2.0K Aug 12 09:55 nodescerts.pem 
 lrwxrwxrwx 1 root root        8 Aug 12 09:55 policy_server.pem -> root.pem 
 -rw------- 1 root root       53 Aug 12 09:54 policy_server_hash 
 -rw------- 1 root root     2.0K Aug 12 10:00 root.pem 
 </pre> 

 We need @rudder-relayd@ (part of the @rudder@ group) to be able to read @root.pem@ and @policy_server.pem@, which also need to have the @rudder_relayd_var_lib_t@ context. 

 Contexts in the policy are: 

 <pre> 
 /var/rudder/lib/ssl/allnodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) 
 /var/rudder/lib/ssl/nodescerts.pem      -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) 
 /var/rudder/lib/ssl/root.pem            -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) 
 /var/rudder/lib/ssl/policy_server.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0) 
 </pre> 


 * @allnodescerts.pem@ is written directly by the webapp, it needs to be readable by @rudder-relayd@. webapp 
 * @nodescerts.pem@ is copied and perms are set @permissions("${nodes_certs}", and: 

 ``` 
 permissions("${nodes_certs}", "640", "root", "0")@. It needs to be readable by @httpd@ and (since 7.0) @rudder-relayd@ "0"); 
 ``` 

 * @root.pem@ and @policy_server.pem@ (introduced in 7.0) are copied by the agent and perms are set @permissions_dirs("${g.rudder_var}/lib/ssl/", and: 

 ``` 
 permissions_dirs("${g.rudder_var}/lib/ssl/", "640", "root", "rudder")@. They need to be readable by @rudder-relayd@. "rudder"); 
 ```

Back

Project

General

Profile

Rudder

Bug #19764