The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #13308

mcollective/puppetd 2.7.11-2 & RHEL57 SELinux alert

Added by Stefan Heijmans about 2 years ago. Updated almost 2 years ago.

Status:AcceptedStart date:03/21/2012
Priority:NormalDue date:
Assignee:Matthaus Owens% Done:

0%

Category:-
Target version:-
Affected Puppet version: Branch:2.7.11-2
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket may be automatically exported to the PUP project on JIRA using the button below:


Description

Hello,

We are running Puppet 2.7.11-2 on RHEL57 x86_64 with MCollective (on client and server); On the client;

# rpm -qa|grep -e puppet -e mcollective
mcollective-common-1.2.1-1.el5
puppet-2.7.11-2.el5
mcollective-1.2.1-1.el5
#

with kernel; Linux 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

with SELinux enabled.

# facter|grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21
#

In one of our manifest we set the password for some users. When we do a puppet-run from the puppetmaster with the mcollective plugin puppetd; ‘mco puppetd —wi runonce’ we get the following (reproducible) SELinux Alert.


Summary:
SELinux is preventing the nscd from using potentially mislabeled files
(/tmp/puppet.30676.0).
Detailed Description:
SELinux has denied nscd access to potentially mislabeled file(s)
(/tmp/puppet.30676.0). This means that SELinux will not allow nscd to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want nscd to access this files, you need to relabel them using restorecon
-v '/tmp/puppet.30676.0'. You might want to relabel the entire directory using
restorecon -R -v '/tmp'.
Additional Information:
Source Context                system_u:system_r:nscd_t
Target Context                system_u:object_r:initrc_tmp_t
Target Objects                /tmp/puppet.30676.0 [ file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           nscd-2.5-65.el5_7.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     <hostname>
Platform                      Linux <hostname>
2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST
2012 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Mar 20 17:13:25 2012
Last Seen                     Tue Mar 20 17:13:25 2012
Local ID                      fdec3437-c40e-407e-ab3c-f998cf0a49f5
Line Numbers                  10078, 10079, 10080, 10082, 10083, 10084, 10085,
10086, 10087, 10089, 10090, 10091, 10092, 10093,
10094, 10096, 10097, 10098, 10099, 10100, 10101,
10103, 10104, 10105
Raw Audit Messages
type=AVC msg=audit(1332260005.415:16748): avc:  denied  { read write } for  pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1332260005.415:16748): avc:  denied  { read write } for  pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1332260005.415:16748): arch=c000003e syscall=59 success=yes exit=0 a0=40e9de a1=7fff4f96d120 a2=7fff4f96d150 a3=0 items=2
ppid=31024 pid=31028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd"
exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key="nscd_called-up"
type=CWD msg=audit(1332260005.415:16748): cwd="/"
type=PATH msg=audit(1332260005.415:16748): item=0 name="/usr/sbin/nscd" inode=721057 dev=fd:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:nscd_exec_t:s0
type=PATH msg=audit(1332260005.415:16748): item=1 name=(null) inode=196612 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0

The problem is that the temporary puppet file (/tmp/puppet.30676.0) gets a SELinux label initrc_tmp_t which the nscd daemon is not allowed to access. ncsd is default off;

chkconfig —list nscd

nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

service nscd status

nscd is stopped #

When we run puppet locally with ‘puppet agent -t’ we don’t get the SELinux alert, as the temporary puppet file is now written with the tmp_t

SELinux label.

I’ve talked with Red Hat support about and they say in-the-end, the following about it;

As I had stated before, the ‘puppet’ software is not provided by Red Hat, and the SELinux rules required for the current observed access is not available in Red Hat Enterprise Linux 5. The vendor of the software has to ensure that the software is built to adhere to the current SELinux policy rules available in Red Hat Enterprise Linux 5.

They also mention it is fixed in RHEL6 but that’s not an option (yet).

Anyone has a fix for it on RHEL5?

Regards, Stefan


Related issues

Related to MCollective Plugins - Refactor #13412: puppetd plugin should use "puppet agent" and not puppetd Closed 03/26/2012

History

#1 Updated by Chris Price about 2 years ago

  • Description updated (diff)

#2 Updated by Chris Price about 2 years ago

  • Status changed from Unreviewed to Investigating
  • Assignee set to Michael Stahnke

Mike said that he might know someone who he can ask for advice about this.

#3 Updated by Eric Shamow about 2 years ago

I can’t reproduce this bug. Tried first in PE, then with the (near) identical FOSS setup. One thing I’d note is that the command entered here – mco puppetd —wi runonce – won’t work. —wi is intended to specify an identity. So in the below case, from my master, I run mco puppetd runonce --wi pe-centos5.localdomain. I can’t see that impacting the substance of the ticket – and it’s probably a typo – but worth pointing out.

The only potential cause I can imagine here is that the mco puppetd provider hits /usr/sbin/puppetd instead of “puppet agent” but again I’d imagine we’d have seen the problem in my testing.

My setup/results:

[root@pe-centos5 mcollective]# rpm -qa|grep -e puppet -e mcollective
puppet-2.7.11-2.el5
mcollective-common-1.2.1-1.el5
mcollective-1.2.1-1.el5

[root@pe-centos5 mcollective]# uname -a
Linux pe-centos5.localdomain 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:52 EST 2012 i686 i686 i386 GNU/Linux

[root@pe-centos5 mcollective]# facter | grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21

[root@pe-centos5 mcollective]# chkconfig --list nscd
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@pe-centos5 mcollective]# service nscd status
nscd is stopped
Mar 29 16:30:09 pe-centos5 puppet-agent[4066]: Reopening log files
Mar 29 16:31:31 pe-centos5 puppet-agent[4066]: (/Stage[main]/Tst/User[root]/password) changed password
Mar 29 16:31:31 pe-centos5 puppet-agent[4066]: Finished catalog run in 0.10 seconds

This works for non-root users as well.

#4 Updated by Stefan Heijmans about 2 years ago

Hi Eric,

the command from the puppet-master was;

When we do a puppet-run from the puppetmaster with the mcollective plugin puppetd;

'mco puppetd --wi [hostname] runonce'

and not;

'mco puppetd --wi runonce'

Somehow the text editor on the bugtracker changes a few things in the text.

Can you also check what the SELinux label is of puppet temporary file, I used the following loop with 0.5 second delay;

#while true; do ls -lZ /tmp/*puppet*; perl -e "select(undef, undef, undef, 0.5)"; done

This is what I get;

# while true; do ls -lZ /tmp/*puppet*; perl -e "select(undef, undef, undef, 0.5)"; done
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
-rw-------  root root user_u:object_r:initrc_tmp_t     /tmp/puppet.4510.0
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
ls: /tmp/*puppet*: No such file or directory
#

/var/log/messages
Mar 30 12:50:14  puppet-agent[4510]: Reopening log files
Mar 30 12:50:20  puppet-agent[4510]: (/Stage[main]/Common::Config-sysadmin/User[heijmans]/password) changed password
Mar 30 12:50:20  setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/tmp/puppet.4510.0). For complete SELinux messages. run sealert -l 3d2bf8ff-2d97-492a-a644-d5c2de71db07
Mar 30 12:50:20  last message repeated 3 times
Mar 30 12:50:23  puppet-agent[4510]: Finished catalog run in 4.43 seconds

-I can’t reproduce this bug. Tried first in PE, then with the (near) identical FOSS setup.

Such a shame but which version of PE and centos did you use? Perhaps I can try it with those as wel..

Stefan

#5 Updated by Stefan Heijmans almost 2 years ago

just installed Centos 5.7 & 5.8 as a client. indeed the SELinux alert doesn’t show up on this distro like it does on RHEL57.

#6 Updated by Stefan Heijmans almost 2 years ago

Did a fresh install of RHEL57 and this also didn’t show the SELinux alert, that made me really wonder and quickly found out that the correct software was not installed and also the service not running;

So after doing; ‘yum install -y setroubleshoot-server’ and ‘service setroubleshoot start’ the SELinux Alert showed up on both fresh installs of RHEL57 and Centos58.

[root@centos57 ~]# cat /etc/redhat-release
CentOS release 5.8 (Final)
[root@centos57 ~]# uname -a
Linux centos57.public.domain 2.6.18-308.4.1.el5 #1 SMP Tue Apr 17 17:08:00 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@centos57 ~]# rpm -qa|grep -e pupp -e mcoll -e facter
puppet-2.7.14-1.el5
facter-1.6.8-1
mcollective-common-2.0.0-1.el5
mcollective-2.0.0-1.el5
[root@centos57 ~]#
May  7 21:21:56 centos57 puppet-agent[4415]: Reopening log files
May  7 21:21:58 centos57 puppet-agent[4415]: (/Stage[main]/Test::Config/User[heijmans]/password) changed password
May  7 21:21:58 centos57 setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/tmp/puppet.4415.0). For complete SELinux messages. run sealert -l b230dc43-d78d-496d-9004-dcde1767afbd
May  7 21:21:58 centos57 puppet-agent[4415]: Finished catalog run in 0.29 seconds
May  7 21:21:58 centos57 setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/tmp/puppet.4415.0). For complete SELinux messages. run sealert -l b230dc43-d78d-496d-9004-dcde1767afbd

@Eric Shamow Could you also verify if you had installed the setroubleshoot-server software and the service running when you tried to reproduce it.

Stefan.

#7 Updated by Michael Stahnke almost 2 years ago

  • Assignee changed from Michael Stahnke to Eric Shamow

Eric, reassigning to you since you seem to have somewhat more idea than I do.

#8 Updated by Eric Shamow almost 2 years ago

Confirmed – with that package installed I do indeed replicate the error.

I believe the problem is in the current implementation of puppetd as shipped with PE. The problem is partially fixed upstream in mcollective. It’s a twofold problem: /usr/sbin/puppetd, which is deprecated, doesn’t properly set SElinux context. And mcollective’s puppetd.rb calls /usr/sbin/puppetd, which is deprecated.

Can you verify that if you set the config var

plugin.puppetd.puppetd = “/usr/bin/puppet agent”

in server.cfg on one of your nodes that it resolves the problem? You may need to restart MCollective to pick up the change.

#9 Updated by Eric Shamow almost 2 years ago

  • Status changed from Investigating to Accepted
  • Assignee changed from Eric Shamow to Matthaus Owens

We need to ensure that we’re packaging the latest version of the puppetd agent, and also that context is set properly on the puppetd binary on install.

#10 Updated by Stefan Heijmans almost 2 years ago

Eric,

We’ve upgraded our environment a bit and are now running RHEL58 with kernel 2.6.18-308.8.1.el5. Have tested this morning with the following packages installed; facter-1.6.10-1.el5 mcollective-2.0.0-1.el5 mcollective-common-2.0.0-1.el5 puppet-2.7.17-1.el5

We also updated the Mcollective puppetd agent to the new version 1.7 which uses puppet instead of puppetd.

# locate puppetd.rb
/usr/libexec/mcollective/mcollective/agent/puppetd.rb
# cat /usr/libexec/mcollective/mcollective/agent/puppetd.rb
module MCollective
  module Agent
    # An agent to manage the Puppet Daemon
    #
    # Configuration Options:
    #    puppetd.splaytime - Number of seconds within which to splay; no splay
    #                        by default
    #    puppetd.statefile - Where to find the state.yaml file; defaults to
    #                        /var/lib/puppet/state/state.yaml
    #    puppetd.lockfile  - Where to find the lock file; defaults to
    #                        /var/lib/puppet/state/puppetdlock
    #    puppetd.puppetd   - Where to find the puppet agent binary; defaults to
    #                        /usr/bin/puppet agent
    #    puppetd.summary   - Where to find the summary file written by Puppet
    #                        2.6.8 and newer; defaults to
    #                        /var/lib/puppet/state/last_run_summary.yaml
    #    puppetd.pidfile   - Where to find puppet agent's pid file; defaults to
    #                        /var/run/puppet/agent.pid
    class Puppetd "Puppet Controller Agent",
                  :description => "Run puppet agent, get its status, and enable/disable it",
                  :author      => "R.I.Pienaar",
                  :license     => "Apache License 2.0",
                  :version     => "1.7",
                  :url         => "http://projects.puppetlabs.com/projects/mcollective-plugins/wiki/AgentPuppetd",
                  :timeout     => 30

      def startup_hook
        @splaytime = @config.pluginconf["puppetd.splaytime"].to_i || 0
        @lockfile = @config.pluginconf["puppetd.lockfile"] || "/var/lib/puppet/state/puppetdlock"
        @statefile = @config.pluginconf["puppetd.statefile"] || "/var/lib/puppet/state/state.yaml"
        @pidfile = @config.pluginconf["puppet.pidfile"] || "/var/run/puppet/agent.pid"
        @puppetd = @config.pluginconf["puppetd.puppetd"] || "/usr/bin/puppet agent"
        @last_summary = @config.pluginconf["puppet.summary"] || "/var/lib/puppet/state/last_run_summary.yaml"
      end

When I run puppet through mcollective, I see that the puppet binary is used;

root     14121     1 44 10:10 ?        00:00:01 /usr/bin/ruby /usr/bin/puppet agent --onetime

These are the installed puppet/puppetd binaries;

puppet
# ls -lZ /usr/bin/puppet
-rwxr-xr-x  root root system_u:object_r:bin_t          /usr/bin/puppet
# ls -l /usr/sbin/puppetd
-rwxr-xr-x 1 root root 84 Jun 20 02:04 /usr/sbin/puppetd

puppetd
# ls -lZ /usr/sbin/puppetd
-rwxr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/puppetd
# ls -l /usr/sbin/puppetd
-rwxr-xr-x 1 root root 84 Jun 20 02:04 /usr/sbin/puppetd

The SELinux Alert still occurs;

Jun 20 10:10:15 xxxxxxxx setroubleshoot: SELinux is preventing the nscd from using potentially mislabeled files (/tmp/puppet.14121.0). For complete SELinux messages. run sealert -l f6447ca5-ff6f-4b46-a65c-c518d63b9807

Stefan

Also available in: Atom PDF