Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1515499 - sysadm users cannot execute 'puppet agent' command
Summary: sysadm users cannot execute 'puppet agent' command
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.9
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1374441 1522745 1522765
TreeView+ depends on / blocked
 
Reported: 2017-11-20 22:41 UTC by Coby Isley
Modified: 2018-06-19 05:12 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In Red Hat Enterprise Linux 6.9, the puppet module in the SELinux policy package had been restructured to follow Red Hat Enterprise Linux 7 puppet4 model, and the domain for the /usr/bin/puppet binary file had been set to 'puppet_exec_t`. As a consequence, SELinux denied executing the 'puppet agent' command for the 'sysadm_t' confined user. With this update, the missing domain transitions have been added, and `puppet agent` can be now successfully executed by 'sysadm_t' with SELinux in Enforcing mode.
Clone Of:
: 1522745 1522765 (view as bug list)
Environment:
Last Closed: 2018-06-19 05:11:44 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1871 None None None 2018-06-19 05:12:54 UTC

Description Coby Isley 2017-11-20 22:41:18 UTC
Description of problem:

SELinux policy version 3.7.19-306 appears to have restructured puppet module code to follow rhel7 puppet4 model, including changing /usr/bin/puppet binary to puppet_exec_t. 

It seems that introduced a regression where system administrators cannot execute 'puppet agent' command.  By default sysadm_t domain does not have transition rules to allow puppet to run in the puppet_t domain. Additional denials were generated because sysadmin_t does not have permissions to enter confined domains such as consoletype_t,  hostname_t, puppet_initrc_t etc to execute their 
respective commands. 

puppet_t does have permissions to enter those domains and run their  respective commands. Just like rhel7's version of the policy, 'puppet agent' command should
successfully transition to one of puppet's domain Instead of running in caller's domain. 

Following rhel7's model, rhel6's puppet module should export a couple of interfaces that would allow calling domain/role combination to transition to puppet_t domain.  Something like ..

########################################
## <summary>
##      Execute puppet in the puppet
##      domain.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`puppet_domtrans_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        corecmd_search_bin($1)
        domtrans_pattern($1, puppet_exec_t, puppet_t)
')

#####################################
## <summary>
##      Execute puppet in the puppet
##      domain and allow the specified
##      role the puppet domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to transition.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`puppet_run_puppet',`
        gen_require(`
                type puppet_t, puppet_exec_t;
        ')

        puppet_domtrans_puppet($1)
        role $2 types puppet_t;
')

With these interfaces, appropriate system administrators could be allowed to execute puppet.


Version-Release number of selected component (if applicable):

- SELinux policy version 3.7.19-306 


How reproducible:

- Each time


Steps to Reproduce:
1. Create a rhel6 system with the latest selinux-policy rpm.
2. Install and setup puppet
3. ssh into the system and become system administrator using "sudo -ir sysadm_r"  or login locally on the system as root in sysadm_r role.
4. Run "puppet agent --test --noop"


Actual results:
- Selinux is denying this interaction


Expected results:
- As this works in the later RHEL 7, RHEL 6 should ideally reflect this behavior as well.

Comment 12 Milos Malik 2017-12-06 09:33:14 UTC
log in via ssh as staff_u user -> switch to sysadm_r via newrole -> switch to root via su -> run puppet agent --test --noop --server

Following SELinux denial appears after disabling dontaudit rules:
----
type=SYSCALL msg=audit(12/06/2017 04:28:33.553:351) : arch=x86_64 syscall=execve success=yes exit=0 a0=0xb9a740 a1=0xbaf4e0 a2=0xba1390 a3=0x38 items=0 ppid=25156 pid=25576 auid=staffroot uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=17 comm=puppet exe=/usr/bin/ruby subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute_no_trans } for  pid=25576 comm=bash path=/usr/bin/puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
type=AVC msg=audit(12/06/2017 04:28:33.553:351) : avc:  denied  { execute } for  pid=25576 comm=bash name=puppet dev=vda1 ino=33564 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_exec_t:s0 tclass=file 
----

Comment 19 errata-xmlrpc 2018-06-19 05:11:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1871


Note You need to log in before you can comment on or make changes to this bug.