[Pulp-list] Selinux Policy for Pulp+Satellite6

[Brian Bouterse]

Hi, I work with the Pulp [0] team at RedHat, and we are part of the Satellite product. I found your names on the selinux team page. tl;dr: I could really use some IRC help in #selinux internal on a policy I'm writing for a product.

Pulp currently has an selinux policy [1], but over the past year several new processes have been introduced which now need to run in more secure contexts. These processes run custom task code, so they aren't easily put into a more secure, pre-existing context from one of the well-defined, vanilla contexts. I've been working on producing a policy by profiling the AVC denials and using tools like `audit2allow -Ral`, but I have some issues that I haven't been able to work through.

Is it possible to get someone to coach me through the rest of this and sanity check that the policy is adequate when its done? Rather than write huge descriptions here of all the things I've done, I'll summarize the current issues I am working with. There are others, but here are two to start with. Could someone knowledgeable on writing selinux policies reach out to me (hopefully on IRC) to resolve these? My username in #pulp on freenode and internal is 'bmbouter'.


A) I enable a policy (celery.pp) that contains the rule `auth_use_nsswitch(celery_t)`, yet when I try to start the services in permissive mode, `audit2allow -Ral` tells me I need to add `auth_use_nsswitch(celery_t)`. I know the module that contains the statement is enabled because I bumped the version number and see that version listed with `semodule -l`. This makes no sense because that rule is already in the policy definition.

B) I've applied the contexts I'm developing (celery_t and celery_exec_t) to the /usr/bin/celery process. I see some avc denials relating to the binary python2.7 not being able to have 'chr_file' permission. We use the python interpreter python2.7 to run the python module (/usr/bin/celery). We only label the /usr/bin/celery process, not the interpreter because we don't want all python code to run within the celery_t context. If I turn on enforcing mode I believe this error prevents the processes from running at all. Do we need to adjust our entrypoint so that the top level binary run is /usr/bin/celery and not python2.7 with /usr/bin/celery as the argument?

C) Besides the auth_use_nsswitch recommendation from (A) I don't see other AVC denials, but when I put the box in enforcing I run into a denial behavior from (B). This is strange to me because the audit2allow is supposed to be showing all denials after the last policy reload point. I'm at a loss for why it reports nothing, yet enforcing mode says python2.7 wants more access than is allowed.


Thanks,
Brian

[0]:  http://pulp-user-guide.readthedocs.org/en/latest/
[1]:  https://github.com/pulp/pulp/tree/master/server/selinux/server