Project

General

Profile

Actions
Copy link

Bug #7021

closed

When SELinux is enabled, the ncf-api-venv home is owned by root

Added by Alexis Mousset almost 9 years ago. Updated over 8 years ago.

Status:
Released
Priority:
N/A
Assignee:
Matthieu CERDA
Category:
System integration
Target version:
3.1.1
Pull Request:
https://github.com/Normation/rudder-p...
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

type=AVC msg=audit(1437489622.784:688): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:688): arch=c000003e syscall=92 success=no exit=-13 a0=7fff598f08e6 a1=3e5 a2=3e4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1437489622.784:689): avc:  denied  { setattr } for  pid=4835 comm="useradd" name="ncf-api-venv" dev="dm-1" ino=135910344 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1437489622.784:689): arch=c000003e syscall=90 success=no exit=-13 a0=7fff598f08e6 a1=1c0 a2=0 a3=3f items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1437489622.784:690): pid=4835 uid=0 auid=1000 ses=5 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=997 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1437489622.784:691): avc:  denied  { create } for  pid=4835 comm="useradd" name=".bash_logout" scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1437489622.784:691): arch=c000003e syscall=2 success=no exit=-13 a0=7fa36fbb9c90 a1=241 a2=1a4 a3=6165726373662f72 items=0 ppid=4833 pid=4835 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #7019: Could not upload inventory when SELinux is enabledReleasedBenoît PECCATTE2015-07-30Actions
Actions
Copy link
 #1

Updated by Alexis Mousset almost 9 years ago 

# ls -ahl /var/lib/ncf-api-venv/
total 4.0K
d---------.  2 root root    6 Jul 21 14:40 .
drwxr-xr-x. 29 root root 4.0K Jul 21 14:40 ..

When SELinux is disabled:

# ls -ahl /var/lib/ncf-api-venv/
total 20K
drwx------.  2 ncf-api-venv ncf-api-venv   72 Jul 21 14:36 .
drwxr-xr-x. 29 root         root         4.0K Jul 21 14:36 ..
-rw-r--r--.  1 ncf-api-venv ncf-api-venv   18 Jun 10  2014 .bash_logout
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  193 Jun 10  2014 .bash_profile
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  231 Jun 10  2014 .bashrc
-rw-r--r--.  1 ncf-api-venv ncf-api-venv  658 Mar 26 13:18 .zshrc
Actions
Copy link
 #2

Updated by Alexis Mousset almost 9 years ago

  • Related to Bug #7019: Could not upload inventory when SELinux is enabled added
Actions
Copy link
 #3

Updated by Alexis Mousset over 8 years ago

audit2allow gives:

module rudder-ncf 1.0;

require {
    type useradd_t;
    type var_lib_t;
    class dir setattr;
}

#============= useradd_t ==============
allow useradd_t var_lib_t:dir setattr;

which allows useradd to change file attributes in /var/lib.

Actions
Copy link
 #4

Updated by Alexis Mousset over 8 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions
Copy link
 #5

Updated by Alexis Mousset over 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/725
Actions
Copy link
 #6

Updated by Alexis Mousset over 8 years ago

  • Assignee changed from Benoît PECCATTE to Matthieu CERDA
Actions
Copy link
 #7

Updated by Vincent MEMBRÉ over 8 years ago

  • Status changed from Pending technical review to Pending release
Actions
Copy link
 #8

Updated by Alexis Mousset over 8 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #9

Updated by Matthieu CERDA over 8 years ago

Actions
Copy link
 #10

Updated by François ARMAND over 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 3.1.1 which was released today.

Actions
Copy link

Also available in: Atom PDF