You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In RHEL/CentOS 6.10 with SELinux set to enforcing, the following access violation will occur when testing the new sshd_config with check_cmd (openssh/config.sls, line 17):
type=AVC msg=audit(1548598945.937:183): avc: denied { open } for pid=13492 comm="sshd" name="__salt.tmp.BYA0jz" dev=dm-0 ino=410972 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
Which, according to audit2allow -w, is because:
(...)
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
This issue was reported in the (as yet unresolved) #98.
or the proper way - by using selinux.module_install, you can install an SELinux policy that will allow the tmp file to be read by check_cmd.
I have taken the liberty of generating this policy. In the interest of transparency for those that wish to use it, here's how (all commands assume root):
yum -y install policycoreutils-python (if you currently don't have the audit2allow program installed)
Then, of course, one would NORMALLY install via semodule -i salt.openssh_formula.fix_centos6_selinux.pp but in this case, SaltStack should install this.
Here are those files that are generated:
salt.openssh_formula.fix_centos6_selinux.te:
module salt.openssh_formula.fix_centos6_selinux 1.0;
require {
type initrc_tmp_t;
type sshd_t;
class file open;
}
#============= sshd_t ==============
# Created by GitHub user johnnybubonic
# Fix for: https://github.com/saltstack-formulas/openssh-formula/issues/147
allow sshd_t initrc_tmp_t:file open;
salt.openssh_formula.fix_centos6_selinux.mod (binary file; in Base64)[0]:
[0] To decode base64 back into a binary file, copy the entire base64 string to a file (e.g. selinuxpolicy.b64) and then do base64 -d selinuxpolicy.b64 > newfilename. newfilename is the reassembled file. You can pipe it as well: echo '<base64_string>' | base64 -d > newfilename - but if you do it this way, you must remove the linebreaks.
You SHOULD only need the salt.openssh_formula.fix_centos6_selinux.pp file. Use a file.manage to get that in place if:
os_family == RedHat AND
osmajorrelease == 6 AND
selinux:enforced == Enforcing
and then apply it with selinux.module_install.
I have tested the policy and it does indeed work.
I have confirmed the following works on a fresh install of CentOS 6.10:
@johnnybubonic Thanks for the extensive documentation of the proper fix!
I'm leaning towards a cleaner version of "the hacky way" based on #151, because
a) decoupling formulas (selinux/openssh) reduces need for maintenance.
b) I think a simple use_check_cmd: False in osfingermap.yaml is sufficient to prevent the original bug.
Nevertheless I would add proper documentation in pillar.example on
how to set the flag based on grains. (use_check_cmd: {{ salt['grains.get']('selinux:enforced', False) != 'Enforcing' }})
how to do it properly, which will essentially be a link to this Issue.
In RHEL/CentOS 6.10 with SELinux set to
enforcing
, the following access violation will occur when testing the new sshd_config with check_cmd (openssh/config.sls
, line17
):Which, according to
audit2allow -w
, is because:This issue was reported in the (as yet unresolved) #98.
There are two ways around this.
The hacky way:
or the proper way - by using selinux.module_install, you can install an SELinux policy that will allow the tmp file to be read by check_cmd.
I have taken the liberty of generating this policy. In the interest of transparency for those that wish to use it, here's how (all commands assume root):
yum -y install policycoreutils-python
(if you currently don't have theaudit2allow
program installed)grep 'name="__salt.tmp.' /var/log/audit/audit.log > /tmp/avc_err
cat /tmp/avc_err | audit2allow -m salt.openssh_formula.fix_centos6_selinux > salt.openssh_formula.fix_centos6_selinux.te
checkmodule -M -m -o salt.openssh_formula.fix_centos6_selinux.mod salt.openssh_formula.fix_centos6_selinux.te
semodule_package -o salt.openssh_formula.fix_centos6_selinux.pp -m salt.openssh_formula.fix_centos6_selinux.mod
semodule -i salt.openssh_formula.fix_centos6_selinux.pp
but in this case, SaltStack should install this.Here are those files that are generated:
salt.openssh_formula.fix_centos6_selinux.te:
salt.openssh_formula.fix_centos6_selinux.mod (binary file; in Base64)[0]:
salt.openssh_formula.fix_centos6_selinux.pp (binary file; in Base64)[0]:
[0] To decode base64 back into a binary file, copy the entire base64 string to a file (e.g.
selinuxpolicy.b64
) and then dobase64 -d selinuxpolicy.b64 > newfilename
.newfilename
is the reassembled file. You can pipe it as well:echo '<base64_string>' | base64 -d > newfilename
- but if you do it this way, you must remove the linebreaks.You SHOULD only need the
salt.openssh_formula.fix_centos6_selinux.pp
file. Use a file.manage to get that in place if:and then apply it with selinux.module_install.
I have tested the policy and it does indeed work.
I have confirmed the following works on a fresh install of CentOS 6.10:
The text was updated successfully, but these errors were encountered: