Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Ensure selinux type for used ports, set default data and log dirmode #253

Merged
merged 1 commit into from
Jan 29, 2024
Merged

fix: Ensure selinux type for used ports, set default data and log dirmode #253

merged 1 commit into from
Jan 29, 2024

Conversation

spetrosi
Copy link
Collaborator

@spetrosi spetrosi commented Jan 15, 2024
edited
Loading

Enhancement:

  1. Ensure SELinux type for used ports
  2. Set default mode for data and log storage directories

Reason:

  1. Custom TCP ports must have mssql_port_t SELinux type
  2. mssql_datadir_mode and mssql_logdir_mode should have a default value for security

Result:

  1. When mssql_manage_selinux is set to true, the role configures used ports with the mssql_port_t SELinux type
  2. mssql_datadir_mode and mssql_logdir_mode variables have a default value of '755'

@spetrosi spetrosi requested a review from richm as a code owner January 15, 2024 13:37
@richm richm changed the title bug: Configure to run as a confined app after mssql-conf setup fix: Configure to run as a confined app after mssql-conf setup Jan 15, 2024
@richm
Copy link
Contributor

richm commented Jan 15, 2024

doesn't this indicate that there is some sort of selinux problem with the way mssql-conf works?

@spetrosi
Copy link
Collaborator Author

doesn't this indicate that there is some sort of selinux problem with the way mssql-conf works?

It does yeah. Moreover, after this "fix" there is still one message, this one:

[root@client]# /sbin/ausearch --input-logs -sv no -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Mon Jan 15 09:41:25 2024
type=PROCTITLE msg=audit([1705329685](tel:1705329685).403:2553): proctitle=707974686F6E33002F6F70742F6D7373716C2F62696E2F2E2E2F6C69622F6D7373716C2D636F6E662F6D7373716C2D636F6E662E707900736574006E6574776F726B2E746370706F72740031343333
type=SYSCALL msg=audit([1705329685](tel:1705329685).403:2553): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff922b0910 a2=10 a3=7fa502b659b9 items=0 ppid=51541 pid=51543 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="python3" exe="/usr/bin/python3.9" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit([1705329685](tel:1705329685).403:2553): avc:  denied  { name_connect } for  pid=51543 comm="python3" dest=1433 scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mssql_port_t:s0 tclass=tcp_socket permissive=0

But there were much more messages before. So this is not a proper fix, it can be done only on the mssql-server side, but best effort fix that the role can do.

@richm
Copy link
Contributor

richm commented Jan 15, 2024

We could use the selinux role to add the policy to allow that command. https://github.com/linux-system-roles/selinux#selinux_ports

maybe something like this:

selinux_ports:
  - ports: 1433
    proto: tcp
    setype: mssql_conf_t
    state: present
    local: true

?

@spetrosi
Copy link
Collaborator Author

spetrosi commented Jan 16, 2024
edited
Loading

We could use the selinux role to add the policy to allow that command. https://github.com/linux-system-roles/selinux#selinux_ports

The port 1433 has this selinux context set correctly after mssql-conf setup:

[root@vm-10-0-186-177 ~]# semanage port -l | grep mssql
mssql_port_t                   tcp      1433-1434
mssql_port_t                   udp      1433-1434

Prior to this change, avc job in errata returns the following:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-38.1.29-1.el9.noarch
----
time->Wed Jan 10 20:33:27 2024
type=PROCTITLE msg=audit(1704936807.923:1672): proctitle=73797374656D63746C00737461747573006D7373716C2D736572766572
type=SYSCALL msg=audit(1704936807.923:1672): arch=c000003e syscall=302 success=no exit=-13 a0=0 a1=7 a2=7ffc3dcacb10 a3=0 items=0 ppid=60772 pid=60773 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936807.923:1672): avc:  denied  { setrlimit } for  pid=60773 comm="systemctl" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Wed Jan 10 20:33:27 2024
type=PROCTITLE msg=audit(1704936807.935:1673): proctitle=2F62696E2F7368002D63006966202020686173682064706B673B207468656E20636D643D2264706B67202D2D6C697374223B2020202020202020202020202020202020202020656C69662068617368202072706D3B207468656E20636D643D2272706D202D7161223B20202020202020202020202020202020202020656C7365
type=SYSCALL msg=audit(1704936807.935:1673): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=55ec21dc2180 a2=7ffdb7c7f910 a3=0 items=0 ppid=60763 pid=60774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936807.935:1673): avc:  denied  { getattr } for  pid=60774 comm="sh" path="/usr/bin/rpm" dev="dm-0" ino=33558270 scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
----
time->Wed Jan 10 20:33:27 2024
type=PROCTITLE msg=audit(1704936807.935:1674): proctitle=2F62696E2F7368002D63006966202020686173682064706B673B207468656E20636D643D2264706B67202D2D6C697374223B2020202020202020202020202020202020202020656C69662068617368202072706D3B207468656E20636D643D2272706D202D7161223B20202020202020202020202020202020202020656C7365
type=SYSCALL msg=audit(1704936807.935:1674): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=55ec21dc2180 a2=7ffdb7c7f910 a3=0 items=0 ppid=60763 pid=60774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936807.935:1674): avc:  denied  { getattr } for  pid=60774 comm="sh" path="/usr/bin/rpm" dev="dm-0" ino=33558270 scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=0
----
time->Wed Jan 10 20:33:27 2024
type=PROCTITLE msg=audit(1704936807.944:1675): proctitle=73797374656D63746C00737461747573006D7373716C2D736572766572
type=SYSCALL msg=audit(1704936807.944:1675): arch=c000003e syscall=302 success=no exit=-13 a0=0 a1=7 a2=7ffd1e003c20 a3=0 items=0 ppid=60775 pid=60777 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936807.944:1675): avc:  denied  { setrlimit } for  pid=60777 comm="systemctl" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Wed Jan 10 20:33:28 2024
type=PROCTITLE msg=audit(1704936808.208:1678): proctitle=7375002D77004D5353514C5F53415F50415353574F52442C4D5353514C5F504944002D63002F6F70742F6D7373716C2F62696E2F73716C7365727672202D2D7365747570202D2D72657365742D73612D70617373776F7264006D7373716C
type=SYSCALL msg=audit(1704936808.208:1678): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7ffc324ff2f0 a2=2d a3=564e12f0b500 items=0 ppid=60778 pid=60789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936808.208:1678): avc:  denied  { connectto } for  pid=60789 comm="su" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
----
time->Wed Jan 10 20:33:28 2024
type=PROCTITLE msg=audit(1704936808.211:1680): proctitle=7375002D77004D5353514C5F53415F50415353574F52442C4D5353514C5F504944002D63002F6F70742F6D7373716C2F62696E2F73716C7365727672202D2D7365747570202D2D72657365742D73612D70617373776F7264006D7373716C
type=SYSCALL msg=audit(1704936808.211:1680): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffc324fd540 a2=2d a3=564e12f0a3c0 items=0 ppid=60778 pid=60789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936808.211:1680): avc:  denied  { connectto } for  pid=60789 comm="su" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
----
time->Wed Jan 10 20:33:28 2024
type=PROCTITLE msg=audit(1704936808.212:1681): proctitle=7375002D77004D5353514C5F53415F50415353574F52442C4D5353514C5F504944002D63002F6F70742F6D7373716C2F62696E2F73716C7365727672202D2D7365747570202D2D72657365742D73612D70617373776F7264006D7373716C
type=SYSCALL msg=audit(1704936808.212:1681): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffc324fd540 a2=2d a3=564e12f0d380 items=0 ppid=60778 pid=60789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936808.212:1681): avc:  denied  { connectto } for  pid=60789 comm="su" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
----
time->Wed Jan 10 20:33:28 2024
type=PROCTITLE msg=audit(1704936808.212:1682): proctitle=7375002D77004D5353514C5F53415F50415353574F52442C4D5353514C5F504944002D63002F6F70742F6D7373716C2F62696E2F73716C7365727672202D2D7365747570202D2D72657365742D73612D70617373776F7264006D7373716C
type=SYSCALL msg=audit(1704936808.212:1682): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffc324fd540 a2=2d a3=564e12f0dd00 items=0 ppid=60778 pid=60789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936808.212:1682): avc:  denied  { connectto } for  pid=60789 comm="su" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
----
time->Wed Jan 10 20:33:28 2024
type=PROCTITLE msg=audit(1704936808.212:1683): proctitle=7375002D77004D5353514C5F53415F50415353574F52442C4D5353514C5F504944002D63002F6F70742F6D7373716C2F62696E2F73716C7365727672202D2D7365747570202D2D72657365742D73612D70617373776F7264006D7373716C
type=SYSCALL msg=audit(1704936808.212:1683): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7ffc324feeb0 a2=2d a3=564e12f0d380 items=0 ppid=60778 pid=60789 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936808.212:1683): avc:  denied  { connectto } for  pid=60789 comm="su" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
----
time->Wed Jan 10 20:33:34 2024
type=PROCTITLE msg=audit(1704936814.750:1696): proctitle=73797374656D63746C007374617274006D7373716C2D736572766572
type=SYSCALL msg=audit(1704936814.750:1696): arch=c000003e syscall=302 success=no exit=-13 a0=0 a1=7 a2=7fff40da3790 a3=0 items=0 ppid=60763 pid=61125 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936814.750:1696): avc:  denied  { setrlimit } for  pid=61125 comm="systemctl" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Wed Jan 10 20:33:34 2024
type=PROCTITLE msg=audit(1704936814.777:1698): proctitle=73797374656D63746C00656E61626C65006D7373716C2D736572766572
type=SYSCALL msg=audit(1704936814.777:1698): arch=c000003e syscall=302 success=no exit=-13 a0=0 a1=7 a2=7ffeb8d94960 a3=0 items=0 ppid=60763 pid=61127 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936814.777:1698): avc:  denied  { setrlimit } for  pid=61127 comm="systemctl" scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tclass=process permissive=0
----
time->Wed Jan 10 20:33:49 2024
type=PROCTITLE msg=audit(1704936829.500:1731): proctitle=707974686F6E33002F6F70742F6D7373716C2F62696E2F2E2E2F6C69622F6D7373716C2D636F6E662F6D7373716C2D636F6E662E707900736574006E6574776F726B2E746370706F72740031343333
type=SYSCALL msg=audit(1704936829.500:1731): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fff43397670 a2=10 a3=7f76193259b9 items=0 ppid=61913 pid=61915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python3" exe="/usr/bin/python3.9" subj=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1704936829.500:1731): avc:  denied  { name_connect } for  pid=61915 comm="python3" dest=1433 scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mssql_port_t:s0 tclass=tcp_socket permissive=0

And after this change, only one message that I wrote above.

It is a good idea to ensure setype for ports anyway. My plan is to make the most that the role can do and report all issues to Microsoft. So that when they fix issues on their side the role starts to work.

Users still can do mssql_run_selinux_confined: false and mssql_manage_selinux to set SELinux to permissive and use mssql-server as a non-confined app.

@spetrosi
Copy link
Collaborator Author

@richm And I couldn't set port context to mssql_conf_t as you suggested.

[root@vm-10-0-187-18 ~]# semanage port -l | grep mssql
mssql_port_t                   tcp      1433-1434
mssql_port_t                   udp      1433-1434
[root@vm-10-0-187-18 ~]# semanage port -a -t mssql_conf_t -p tcp 1433
ValueError: Type mssql_conf_t is invalid, must be a port type

Could you get any other useful information on what the role can do to fix selinux issues from the ausearch output that I pasted in the comment above?

@richm
Copy link
Contributor

richm commented Jan 16, 2024

@richm And I couldn't set port context to mssql_conf_t as you suggested.

[root@vm-10-0-187-18 ~]# semanage port -l | grep mssql
mssql_port_t                   tcp      1433-1434
mssql_port_t                   udp      1433-1434
[root@vm-10-0-187-18 ~]# semanage port -a -t mssql_conf_t -p tcp 1433
ValueError: Type mssql_conf_t is invalid, must be a port type

Could you get any other useful information on what the role can do to fix selinux issues from the ausearch output that I pasted in the comment above?

No, not sure - @bachradsusi is there a way to take the output of ausearch or audit2allow, and convert that to some sort of input for the selinux role?

@bachradsusi
Copy link
Member

bachradsusi commented Jan 16, 2024
edited
Loading

type=AVC msg=audit(1704936829.500:1731): avc: denied { name_connect } for pid=61915 comm="python3" dest=1433 scontext=unconfined_u:unconfined_r:mssql_conf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mssql_port_t:s0 tclass=tcp_socket permissive=0

This problem can't be solved using semanage.

mssql_conf_t process is not allowed to name_connect on mssql_port_t.
mssql_port_t is not a standard port, it seems to be defined in mssql-server-selinux and therefore it should be fixed there.

It's also possible to ship local policy which would allow this. The policy could be generated using something like

ausearch .... | audit2allow -M local_mssql

But it could be dangerous to do automatically and it's always necessary to review generated rules.

EDIT: s/sesearch/ausearch/

@spetrosi
Copy link
Collaborator Author

[citest]

@spetrosi
Copy link
Collaborator Author

spetrosi commented Jan 16, 2024
edited
Loading

Even though ausearch returns a lot of denials, the role itself works. I think that for now the role does all that it could to configure selinux, all other things should work out of the box. Microsoft doesn't describe any further steps, only install the mssql-server-selinux package and ensure that selinux is in enforcing mode.
Actually, MS doc says to first install RPMs and then run mssql-conf setup, I think it's still better to be consistent with what MS docs say, so I'll probably revert this change here.

@spetrosi spetrosi force-pushed the selinux-install-after-conf branch from 533d69a to 176252f Compare January 16, 2024 22:44
@spetrosi
Copy link
Collaborator Author

[citest]

@spetrosi spetrosi force-pushed the selinux-install-after-conf branch from 176252f to c58d025 Compare January 17, 2024 09:33
@spetrosi
Copy link
Collaborator Author

[citest]

@spetrosi spetrosi force-pushed the selinux-install-after-conf branch from c58d025 to a082831 Compare January 17, 2024 11:51
@spetrosi
Copy link
Collaborator Author

[citest]

@spetrosi
fix: Ensure selinux type for used ports
7c4147f 
fix: Set default data and log dirmode to omit
@spetrosi spetrosi force-pushed the selinux-install-after-conf branch from a082831 to 7c4147f Compare January 17, 2024 13:00
@spetrosi
Copy link
Collaborator Author

[citest]

@spetrosi spetrosi changed the title fix: Configure to run as a confined app after mssql-conf setup fix: Ensure selinux type for used ports, set default data and log dirmode Jan 29, 2024
@spetrosi spetrosi merged commit def28be into linux-system-roles:main Jan 29, 2024
21 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richm richm richm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@spetrosi @richm @bachradsusi