SELinux to allow puppet-server at https://puppet-server:8140

sndlt · 05-02-2015, 07:17 PM

My puppet-server is currently resides at "https://puppet-server:8140"

I make "sudo setenforce permissive" on the server to make puppet-server's 8140 get through. After that "sudo service httpd restart" to get the puppet-server going.

But I need to do this each time the server is rebooted.

How can I either (1) Make a rule in SELinux to allow puppet-server at https port 8140 and to survive reboot, OR (2) Make "sudo setenforce permissive" to survive reboot?

SELinux is so tricky for me.
Thanks.

John VV · 05-02-2015, 08:21 PM

SE is rather easy to use these days , not like it was in 2004

permissive is ONLY for testing
it logs all the errors without STOPPING THEM

once you have taken care of any errors in the /var/log/selinux log files
set SE to Enforcing using the "targeted" settings
this IS the DEFAULT for SE on RHEL/CentOS

you might want to READ the SElinux documentation for RHEL

the current RHEL7 SELinux user guide
https://access.redhat.com/documentat...ide/index.html

unSpawn · 05-02-2015, 10:05 PM

Quote:

Originally Posted by John VV

you might want to READ the SElinux documentation for RHEL

There is no "/var/log/selinux" in RHEL / CentOS but there is /var/log/audit/audit.log though.

Quote:

Originally Posted by sndlt

How can I either (1) Make a rule in SELinux to allow puppet-server at https port 8140 and to survive reboot

What does this return:

Code:

audit2allow < /var/log/audit/audit.log

sndlt · 05-02-2015, 11:34 PM

"audit2allow < /var/log/audit/audit.log" returns "-bash: /var/log/audit/audit.log: Permission denied" despite using sudo or "-bash: audit2allow: command not found" when using "su -."

Following are part of the log. Does it tell anything? As to what I need to do?

type=AVC msg=audit(1430426830.107:370): avc: denied { setattr } for pid=26299 comm="ruby" name="puppetmaster.oracle.pem" dev="dm-0" ino=131152 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u

bject_r

uppet_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1430426830.107:370): arch=c000003e syscall=90 success=yes exit=0 a0=2cb75a0 a1=1a0 a2=8 a3=8 items=0 ppid=26263 pid=26299 auid=500 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 ses=1 tty=(none) comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1430426830.107:371): avc: denied { relabelfrom } for pid=26299 comm="ruby" name="puppetmaster.oracle.pem" dev="dm-0" ino=131152 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u

bject_r

uppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1430426830.107:371): avc: denied { relabelto } for pid=26299 comm="ruby" name="puppetmaster.oracle.pem" dev="dm-0" ino=131152 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u

bject_r

uppet_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1430426830.107:371): arch=c000003e syscall=189 success=yes exit=0 a0=2cb75a0 a1=39e36162fd a2=233eaa0 a3=26 items=0 ppid=26263 pid=26299 auid=500 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 ses=1 tty=(none) comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1430426830.522:372): avc: denied { fowner } for pid=26348 comm="chmod" capability=3 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1430426830.522:372): avc: denied { fsetid } for pid=26348 comm="chmod" capability=4 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1430426830.522:372): arch=c000003e syscall=268 success=yes exit=0 a0=ffffffffffffff9c a1=2436120 a2=1c0 a3=0 items=0 ppid=26263 pid=26348 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm="chmod" exe="/bin/chmod" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1430426833.010:379): avc: denied { search } for pid=26356 comm="ps" name="354" dev="proc" ino=7879 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1430426833.010:379): avc: denied { read } for pid=26356 comm="ps" name="stat" dev="proc" ino=10952 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
type=AVC msg=audit(1430426833.010:379): avc: denied { open } for pid=26356 comm="ps" path="/proc/354/stat" dev="proc" ino=10952 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1430426833.010:379): arch=c000003e syscall=2 success=yes exit=5 a0=39e2411860 a1=0 a2=0 a3=0 items=0 ppid=26263 pid=26356 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1430426833.010:380): avc: denied { getattr } for pid=26356 comm="ps" path="/proc/2027" dev="proc" ino=10772 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=dir
type=SYSCALL msg=audit(1430426833.010:380): arch=c000003e syscall=4 success=yes exit=0 a0=9da4e0 a1=39e2411cc0 a2=39e2411cc0 a3=9da4e6 items=0 ppid=26263 pid=26356 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm="ps" exe="/bin/ps" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

unSpawn · 05-03-2015, 03:00 AM

Quote:

Originally Posted by sndlt

"audit2allow < /var/log/audit/audit.log" returns "-bash: /var/log/audit/audit.log: Permission denied" despite using sudo or "-bash: audit2allow: command not found" when using "su -."

Well, then fix that first! As in see if policycoreutils* packages are installed and use full paths.

Quote:

Originally Posted by sndlt

Following are part of the log. Does it tell anything? As to what I need to do?

Thanks but I don't want that. It sure should. Yes but I want to see 'audit2allow' output. No short cuts. I'm not going to interpret these log lines for you.

sndlt · 05-03-2015, 11:08 AM

Please forgive my newbishnes in Linux. haha

Shall I do a "yum install policycoreutils*" first to activate that command? ("audit2allow < /var/log/audit/audit.log")

Or "install setroubleshoot" per https://www.centos.org/forums/viewtopic.php?t=5012? I guess

unSpawn · 05-03-2015, 12:59 PM

Quote:

Originally Posted by sndlt

Shall I do a "yum install policycoreutils*" first to activate that command? ("audit2allow < /var/log/audit/audit.log")
Or "install setroubleshoot" per https://www.centos.org/forums/viewtopic.php?t=5012? I guess

I'd say whatever steps it takes to enable you to run the command and the less steps the better.

sndlt · 05-03-2015, 04:31 PM

Finally got "audit2allow < /var/log/audit/audit.log" to work as root.
Again, please help this newbie by helping to interpret this message.
Thanks.

Code:

[root@puppetmaster ~]# audit2allow < /var/log/audit/audit.log


#============= httpd_t ==============
allow httpd_t NetworkManager_t:dir { getattr search };
allow httpd_t NetworkManager_t:file { read open };
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t apmd_t:file { read open };
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t auditd_t:file { read open };
allow httpd_t automount_t:dir { getattr search };
allow httpd_t automount_t:file { read open };
allow httpd_t certmonger_t:dir { getattr search };
allow httpd_t certmonger_t:file { read open };
allow httpd_t consolekit_t:dir { getattr search };
allow httpd_t consolekit_t:file { read open };
allow httpd_t crond_t:dir { getattr search };
allow httpd_t crond_t:file { read open };
allow httpd_t cupsd_t:dir { getattr search };
allow httpd_t cupsd_t:file { read open };
allow httpd_t devicekit_disk_t:dir { getattr search };
allow httpd_t devicekit_disk_t:file { read open };
allow httpd_t devicekit_power_t:dir { getattr search };
allow httpd_t devicekit_power_t:file { read open };
allow httpd_t dhcpc_t:dir { getattr search };
allow httpd_t dhcpc_t:file { read open };
allow httpd_t fprintd_t:dir { getattr search };
allow httpd_t fprintd_t:file { read open };
allow httpd_t getty_t:dir { getattr search };
allow httpd_t getty_t:file { read open };
allow httpd_t hald_t:dir { getattr search };
allow httpd_t hald_t:file { read open };
allow httpd_t init_t:dir { getattr search };
allow httpd_t init_t:file { read open };
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_t:file { read open };
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t kernel_t:file { read open };
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t modemmanager_t:dir { getattr search };
allow httpd_t modemmanager_t:file { read open };
allow httpd_t ntpd_t:dir { getattr search };
allow httpd_t ntpd_t:file { read open };
allow httpd_t policykit_t:dir { getattr search };
allow httpd_t policykit_t:file { read open };

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_verify_dns, allow_ypbind
allow httpd_t port_t:udp_socket name_bind;
allow httpd_t postfix_master_t:dir { getattr search };
allow httpd_t postfix_master_t:file { read open };
allow httpd_t postfix_pickup_t:dir { getattr search };
allow httpd_t postfix_pickup_t:file { read open };
allow httpd_t postfix_qmgr_t:dir { getattr search };
allow httpd_t postfix_qmgr_t:file { read open };
allow httpd_t prelink_cron_system_t:dir { getattr search };
allow httpd_t prelink_cron_system_t:file { read open };
allow httpd_t prelink_t:dir { getattr search };
allow httpd_t prelink_t:file { read open };
#!!!! The source type 'httpd_t' can write to a 'dir' of the following types:
# squirrelmail_spool_t, dirsrvadmin_config_t, httpd_tmp_t, dirsrv_config_t, dirsrvadmin_tmp_t, httpd_cache_t, httpd_tmpfs_t, httpd_squirrelmail_t, dirsrv_var_run_t, dirsrv_var_log_t, httpd_var_lib_t, httpd_var_run_t, zarafa_var_lib_t, httpd_dspam_rw_content_t, httpd_prewikka_rw_content_t, httpd_mediawiki_rw_content_t, httpd_squid_rw_content_t, passenger_var_run_t, httpd_smokeping_cgi_rw_content_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_rw_content_t, httpd_collectd_rw_content_t, httpd_user_rw_content_t, httpd_awstats_rw_content_t, httpdcontent, httpd_cobbler_rw_content_t, httpd_munin_rw_content_t, cluster_conf_t, httpd_bugzilla_rw_content_t, passenger_tmp_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_nutups_cgi_rw_content_t

allow httpd_t puppet_var_lib_t:dir { write rmdir setattr read remove_name create add_name };
allow httpd_t puppet_var_lib_t:file { rename write setattr relabelfrom relabelto create unlink };
allow httpd_t puppet_var_run_t:dir getattr;
allow httpd_t rpcbind_t:dir { getattr search };
allow httpd_t rpcbind_t:file { read open };
allow httpd_t rpcd_t:dir { getattr search };
allow httpd_t rpcd_t:file { read open };
allow httpd_t rpm_t:dir { getattr search };
allow httpd_t rpm_t:file { read open };
allow httpd_t rtkit_daemon_t:dir { getattr search };
allow httpd_t rtkit_daemon_t:file { read open };

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_run_stickshift, httpd_setrlimit
allow httpd_t self:capability { fowner sys_resource fsetid };
allow httpd_t sshd_t:dir { getattr search };
allow httpd_t sshd_t:file { read open };
allow httpd_t syslogd_t:dir { getattr search };
allow httpd_t syslogd_t:file { read open };
allow httpd_t system_cronjob_t:dir { getattr search };
allow httpd_t system_cronjob_t:file { read open };
allow httpd_t system_dbusd_t:dir { getattr search };
allow httpd_t system_dbusd_t:file { read open };
allow httpd_t udev_t:dir { getattr search };
allow httpd_t udev_t:file { read open };
allow httpd_t unconfined_dbusd_t:dir { getattr search };
allow httpd_t unconfined_dbusd_t:file { read open };
allow httpd_t unconfined_t:dir { getattr search };
allow httpd_t unconfined_t:file { read open };
allow httpd_t xdm_t:dir { getattr search };
allow httpd_t xdm_t:file { read open };
allow httpd_t xserver_t:dir { getattr search };
allow httpd_t xserver_t:file { read open };
[root@puppetmaster ~]#

unSpawn · 05-04-2015, 01:12 PM

See 'man audit2allow' to understand this:

Code:

umask 0027 && cd /tmp && mkdir .audit2a.$$ && cd .audit2a.$$
grep '^allow.httpd_t.puppet_' /var/log/audit/audit.log|audit2allow -M localpuppet
semodule -i localpuppet.pp

..and afterwards test and let us know if it works.