search

softwarefactory-project / DLRN

DO NOT send Pull Requests here, send reviews to
https://softwarefactory-project.io/r/#/q/project:DLRN
Apache License 2.0
28 stars 24 forks source link

Delorean has to run with selinux enforced #7

Closed strider closed 4 years ago

strider commented 9 years ago

@trown has been working and testing a delorean policy on http://trunk-mgt.rdoproject.org. Would be interesting to get it running on delorean trunk instance.

Here is the selinux policy module: http://fpaste.org/223819/14321316/

The fpaste is of a delorean.te file. This can be installed with:

# checkmodule -M -m -o delorean.mod delorean.te
# semodule_package -o delorean.pp -m delorean.mod
# semodule -i delorean.pp

Then adding a labeling rule for the data directory and relabeling the existing files:

# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/data(/.*)?"
# restorecon -Rv /root/delorean/data
apevec commented 9 years ago

Archiving pastebin content here:

module delorean 1.0;

require {
        type httpd_sys_rw_content_t;
        type svirt_lxc_net_t;
        type docker_t;
        class dir { setattr read create write getattr rmdir remove_name add_name };     
        class file { append execute setattr read create ioctl execute_no_trans write getattr link unlink open };
        class lnk_file { read unlink link setattr};
}

#============= docker_t ==============
allow docker_t httpd_sys_rw_content_t:dir getattr;

#============= svirt_lxc_net_t ==============
allow svirt_lxc_net_t httpd_sys_rw_content_t:dir { write read create add_name remove_name rmdir setattr };
allow svirt_lxc_net_t httpd_sys_rw_content_t:file { append write ioctl link read create open unlink setattr};
allow svirt_lxc_net_t httpd_sys_rw_content_t:lnk_file { read unlink link setattr};
derekhiggins commented 9 years ago

Thanks, Was this on centos or fedora? On F21 this is working for me with no custom modules

sudo semanage fcontext -a -t svirt_sandbox_filet "/tmp/delorean/data(/.)?" sudo semanage fcontext -a -t svirt_sandbox_filet "/tmp/delorean/scripts(/.)?" mkdir /tmp/delorean/data sudo restorecon -R /tmp/delorean

I'm not sure why I need to create the data directory before running restorecon, I would have thought it would get the correct context once semanage had been run.

apevec commented 8 years ago

@dmsimard Does above selinux modules resolve all denials for you on F22 ?

dmsimard commented 8 years ago

It works with the module and the instructions provided by @strider but I had to adjust that last bit:

# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/data(/.*)?"
# restorecon -Rv /root/delorean/data

actually used:

# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/data(/.*)?"
# semanage fcontext -a -t httpd_sys_rw_content_t "/root/delorean/scripts(/.*)?"
# restorecon -Rv /root/delorean

For the record, the AVC error with the permission denied was the following:

type=AVC msg=audit(1441897500.157:754): avc:  denied  { read } for  pid=13754 comm="build_rpm_wrapp" name="build_rpm_wrapper.sh" dev="dm-1" ino=565190 scontext=system_u:system_r:svirt_lxc_net_t:s0:c53,c65 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

No permission denied errors so far (and package is building) Edit: That doesn't look like it works after all. Trying to figure out what the issue is now.

$ delorean --config-file projects.ini --local --dev --package-name openstack-cinder --log-commands
INFO:delorean:Getting git://git.openstack.org/openstack/cinder to ./data/openstack-cinder
INFO:delorean:Processing openstack-cinder cb790c0979665f376c0c01c0443301f8e7362d66
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
    options.use_public)
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
    raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder
INFO:delorean:Skipping notify email to ['eharney@redhat.com', 'apevec@redhat.com', 'hguemar@redhat.com']
INFO:delorean:Processing openstack-cinder bcc7ce05cb73b96915df43e89af3c8f42f9eb677
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
    options.use_public)
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
    raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder
INFO:delorean:Processing openstack-cinder 23e6cf9967463d3b59ca2e63344b0bbbf3e5491a
ERROR:delorean:Error while building packages for openstack-cinder
Traceback (most recent call last):
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 229, in main
    options.use_public)
  File "/home/dmsimard/dev/delorean/delorean/shell.py", line 498, in build
    raise Exception("No rpms built for %s" % project_name)
Exception: No rpms built for openstack-cinder

[...]
apevec commented 8 years ago

I tried docker_home_t on ./data/ but that doesn't help:

avc: denied { write } for pid=875 comm="build_rpm_wrapp" ... scontext=system_u:system_r:svirt_lxc_net_t:s0:c104,c397 tcontext=unconfined_u:object_r:docker_home_t:s0 tclass=dir permissive=0

javierpena commented 8 years ago

I think the switch to mock allowed DLRN to run with SELinux active. The current instance is running in Permissive, although from a quick check on the audit logs it looks like the issue is more related to having the user home directories running on NFS.

javierpena commented 4 years ago

This is already in Taiga: https://tree.taiga.io/project/morucci-software-factory/us/233 . In general terms, DLRN runs without any issue with SELinux set to Enforcing. Some details of the current production deployment need to be fixed, mostly related to the API and location of web-served files.