[katello-devel] Katello, Foreman and SELinux

Wed Nov 28 13:12:44 UTC 2012

On 11/28/2012 01:46 PM, Lukas Zapletal wrote:
> Hello,
>
> just a reminder how our SELinux policy is implemented in Katello.
> Katello runs in thin and users are connecting via httpd proxy which is
> configured in /etc/httpd/conf.d/katello.conf.
>
> We have a simple "make it running" policy distributed in katello-selinux
> package. The codebase is here:
>
> https://github.com/Katello/katello/tree/master/selinux/katello-selinux
>
> This policy allows httpd, which is running in confined mode, to connect
> to thin, basically. The katello running under thin is running unconfined
> (e.g. the process can do anything - it's not in the "safe" selinux
> mode). The context of the process is initrc_t which is just a special
> context for services running unconfined.
>
> We start katello not using /usr/bin/thin, but using our own wrapper in
> /usr/share/katello/script/thin which has usr_t context and because of
> this, context is not changed during starup and we keep the unconfined
> one. This is not a bug, we want that.
>
> By the way Pulp runs in confined mode and Candlepin is unconfined.
>
> </End of reminder>
>
> Foreman sysvinit script, on the other hand, uses /usr/bin/thin directly,
> which in Fedora 17+ turns the process into own thin_t context. That
> means Foreman is running in confined mode. Foreman of course fails to
> start, because SELinux is preventing it from doing anything. It will
> prevent it from creating PID files, therefore Foreman cannot start.
>
> Reason why this is working in RHEL6 is the thin_t context was introduced
> in Fedora 17+ and since there is no such a context, Foreman starts
> unconfined on RHEL6. And since our katello policy for httpd is not
> hardened (we allow to connect to any port instead of only katello
> ports), httpd has no problems with this too.
>
> This is the reason why Foreman does not work on F17+. We need to create
> our own wrapper script and change our sys v init script to use it. I'd
> recommend not to put it in the /usr/share/foreman/script but to create
> our own starter like aeolus do in /usr/bin/foreman-thinwrapper and do
> the same with Katello (katello-thinwrapper).
>
> If we would like to confine thin processes (or perhaps mod_passenger
> processes) for both Katello and Foreman, we would need to extend our
> policy with this and also use the thin_t context as a template:
>
> thin_domain_template(thin_foreman_t)
>
> This is what Aeolus do currently.
>
> That is the plan I guess. Looking on our backlog we have three cases:
>
> US1408
> As a user, I'd like to have SELinux policy for Foreman
>
> US1409
> As a dev, I'd like to harden Katello SELinux policy
> (This is all about writing our policy for httpd in a nicer way and
> cleaning it out - several rules are not necessary anymore)
>           
> US1410
> As a dev, I'd like run katello process in its own domain
>
> I have reordered them in this main by priority. The first one is
> actually ASAP task, it's blocking F17 installations (workaround
> setenforce 0).
>
> Bryan can you please look on them and prioritize them within the whole
> overall plan? I guess we need to do the second with the mod_passenger
> change together, or after. Or it could be done together with the first
> one, that is even better. And the third is the bright future :-)
>
I agree and I like it. This is a reason why we re-wrote the thin policy 
to have better support for these projects (Katello, Aeolus ...).