Project

Profile

Help

Issue #3347

Advise users to use `setsebool` to set pulp_manage_rsync

Added by Ichimonji10 about 1 year ago. Updated 5 days ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Severity:
2. Medium
Version:
Platform Release:
2.15.3
Blocks Release:
OS:
Backwards Incompatible:
No
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:
Sprint 32

Description

On Fedora 27, the semanage executable can be used to set the default state of a boolean, but not its current state. To wit:

# semanage boolean --list | head -n 1
SELinux boolean                State  Default Description
# semanage boolean --modify --off pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,  off)  Allow pulp to manage rsync
# semanage boolean --modify --on pulp_manage_rsync
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,   on)  Allow pulp to manage rsync

Notice how semanage sets a policy's "default" state, but not its current state? In prior versions of Fedora, both the "state" and "default" fields would be updated by this command. To set the current state of a boolean, the setsebool command now has to be used:

# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (off  ,  off)  Allow pulp to manage rsync
# setsebool pulp_manage_rsync on
# semanage boolean --list | grep pulp_manage_rsync
pulp_manage_rsync              (on   ,  off)  Allow pulp to manage rsync

Note that this behaviour applies to other policies on F27, too. Here's another arbitrary policy that I arbitrarily picked out:

# semanage boolean --modify --on zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo            (off  ,   on)  Allow zoneminder to run sudo
# semanage boolean --modify --off zoneminder_run_sudo
# semanage boolean --list | grep zoneminder_run_sudo
zoneminder_run_sudo            (off  ,  off)  Allow zoneminder to run sudo

The docs currently advise using semanage here. Let's tell readers about setsebool too.

This change appears to be intentional. The system journal shows no errors. Here's the output of journalctl --follow for the time period in which semanage boolean --modify --on is executed:

-- Logs begin at Wed 2018-02-07 11:10:04 EST. --
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability open_perms=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability extended_socket_class=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability always_check_network=0
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability cgroup_seclabel=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability nnp_nosuid_transition=1
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=21)
                                                         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:07 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: USER_START pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.101.1 terminal=/dev/pts/1 res=success'
Feb 07 12:26:08 fedora-27-pulp-2-16-nightly audit[3829]: CRYPTO_KEY_USER pid=3829 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0f:7f:33:2b:ba:6c:3a:16:47:19:de:04:1f:f7:1e:e1:61:53:9c:34:cd:0b:ea:dd:80:8d:30:66:1c:e4:a1:e9 direction=? spid=8428 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: 32768 avtab hash slots, 108540 rules.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  8 users, 14 roles, 5094 types, 318 bools, 1 sens, 1024 cats
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  97 classes, 108540 rules
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Permission getrlimit in class process not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class sctp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class icmp_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ax25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ipx_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class netrom_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class atmpvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class x25_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rose_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class decnet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class atmsvc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rds_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class irda_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class pppox_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class llc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class can_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class tipc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class bluetooth_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class iucv_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class rxrpc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class isdn_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class phonet_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class ieee802154_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class caif_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class alg_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class nfc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class vsock_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class kcm_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class qipcrtr_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux:  Class smc_socket not defined in policy.
Feb 07 12:26:18 fedora-27-pulp-2-16-nightly kernel: SELinux: the above unknown classes and permissions will be allowed
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability network_peer_controls=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability open_perms=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability extended_socket_class=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability always_check_network=0
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability cgroup_seclabel=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly kernel: SELinux:  policy capability nnp_nosuid_transition=1
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit[710]: USER_AVC pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=22)
                                                         exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly audit: MAC_POLICY_LOAD policy loaded auid=0 ses=11
Feb 07 12:26:20 fedora-27-pulp-2-16-nightly dbus-daemon[710]: [system] Reloaded configuration

Associated revisions

Revision d337f46f View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

Revision b6f3f042 View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

Revision b6f3f042 View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

Revision 93f876bb View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

closes #3347
https://pulp.plan.io/issues/3347

Revision a5dbbf3f View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

closes #3347
https://pulp.plan.io/issues/3347

(cherry picked from commit 93f876bb038ca7224fbdb0b2b522fb42cded5cbc)

Revision bc55e044 View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

(cherry picked from commit d337f46fe34528f0a20796ccdba0d75ebbe213a3)

Revision 1842120e View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

(cherry picked from commit b6f3f042d06077a844b35bfad8f1c752b4975d41)

Revision 1842120e View on GitHub
Added by werwty about 1 year ago

Advise users on using setsebool to set pulp_manage_rsync selinux boolean

F27+ changed the behavior of semanage to set a selinux boolean by
default, but not change its current state.

re #3347
https://pulp.plan.io/issues/3347

(cherry picked from commit b6f3f042d06077a844b35bfad8f1c752b4975d41)

History

#2 Updated by dalley about 1 year ago

  • Sprint/Milestone set to 54
  • Triaged changed from No to Yes
  • Groomed changed from No to Yes

#3 Updated by bizhang about 1 year ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bizhang

#5 Updated by werwty about 1 year ago

  • Status changed from POST to MODIFIED

#6 Updated by bmbouter about 1 year ago

  • Platform Release set to 2.15.3

#7 Updated by bmbouter about 1 year ago

  • Sprint set to Sprint 32

#8 Updated by bmbouter about 1 year ago

  • Sprint/Milestone deleted (54)

#10 Updated by bmbouter about 1 year ago

  • Status changed from MODIFIED to ON_QA

#11 Updated by bmbouter about 1 year ago

  • Status changed from ON_QA to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter 5 days ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF