[Solved] Selinux prevent sending files with ftp

[tydell]

Hallo.

I am new to selinux so sorry for my newbie question. Maybe someone could help with this case or just tell where I could try to find some informations to solve this issue.

I'm using Foreman on CentOS host (release 7.6.1810). I have configured foreman_hooks plugin to trigger some actions after provisioning hosts. Script that is trigerred is simple, I just need to send a text file (label template) over ftp to label printer. However when I execute bash script with same commands then it works. When I try to automate it with foreman_hooks then i got 'ftp: connect: Permission denied'. Foreman_hook script is executed by foreman user, not root.

My foreman hook script is as follow:

Code: Select all

# event name (create, before_destroy etc.)
# orchestration hooks must obey this to support rollbacks (create/update/destroy)
event=${HOOK_EVENT}
object=${HOOK_OBJECT}

# Example of using hook_data to query the JSON representation of the object
# passed by foreman_hooks.  `cat $HOOK_OBJECT_FILE` to see the contents.

hostname=$(hook_data .host.name)
mac=$(hook_data .host.mac)
name=`echo ${hostname} | cut -f1 -d'.'`

frasid=`/usr/bin/wget --no-proxy --quiet --output-document=/usr/share/foreman/tmp/$name --no-check-certificate "https://my_url/fras/hotspot/get_id/?key=mac_sticker&value=$mac"`
HOST='10.28.89.152'
USER='ftpprint'
PASS='print'
fxnum=`cat /usr/share/foreman/tmp/${name}`

cat > /usr/share/foreman/tmp/FX${fxnum}.txt << EOT
    m m
    J
    H 100
    S l1;0,0,19,22,38
    O R
    T 8,7,0,3,2;Hotspot
    T 6,9,0,3,2;support@hotspot.de
    T 4,19,90,5,3;HOTSPOT
    T 9,18,0,5,3;S/N:
    T:SERIAL;17,18,0,5,3;FX${fxnum}
    B 6,10,0,code39,5,0.25,2;[SERIAL]
    A1
EOT

cd /usr/share/foreman/tmp/

/usr/bin/ftp -ni << EOF
open $HOST
user $USER $PASS
bin
mput FX${fxnum}.txt
quit
EOF

rm -R /usr/share/foreman/tmp/$name
rm -R /usr/share/foreman/tmp/FX$fxnum.txt

All works as i can 'echo' all variables and they are correct. It just about ftp command execution.

Some logs to debug:

Code: Select all

[root@puppet ~]# ls -laZ /usr/share/foreman/config/hooks/host/managed/after_provision/
drwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0       .
drwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0       ..
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0       10_print_label.sh
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0       20_log.sh
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0       hook_functions.sh

Code: Select all

[root@puppet production]# aureport -a
435. 13.09.2019 16:06:16 ftp system_u:system_r:passenger_t:s0 42 tcp_socket name_connect system_u:object_r:ftp_port_t:s0 denied 7505
436. 13.09.2019 16:50:05 ftp system_u:system_r:passenger_t:s0 42 tcp_socket name_connect system_u:object_r:ftp_port_t:s0 denied 7552

Code: Select all

[root@puppet production]# ausearch -c 'ftp' --raw
type=PROCTITLE msg=audit(1568383472.309:7503): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568383544.496:7504): avc:  denied  { name_connect } for  pid=11300 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568383544.496:7504): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=2354610 a2=10 a3=7ffe7cddf9a0 items=0 ppid=11282 pid=11300 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568383544.496:7504): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568383576.195:7505): avc:  denied  { name_connect } for  pid=12042 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568383576.195:7505): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=11af610 a2=10 a3=7ffff6d62ba0 items=0 ppid=12024 pid=12042 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568383576.195:7505): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568386205.243:7552): avc:  denied  { name_connect } for  pid=25346 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568386205.243:7552): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=c1c610 a2=10 a3=7ffc62bb4920 items=0 ppid=25344 pid=25346 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568386205.243:7552): proctitle=667470002D6E0031302E32382E38392E313532

Code: Select all

[root@puppet production]# grep -i hook /var/log/foreman/production.log
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename 20_log.sh
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename hook_functions.sh
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename 10_print_label.sh
2019-09-13T16:30:10 [I|app|] Finished discovering 3 hooks for Host::Managed#after_provision
2019-09-13T16:30:15 [D|app|] Extending Host::Managed with foreman_hooks Rails hooking support
2019-09-13T16:30:15 [D|app|] Created hook method after_provision on Host::Managed
2019-09-13T16:30:16 [D|app|] Extending Host::Managed with foreman_hooks Rails hooking support
2019-09-13T16:30:16 [D|app|] Created hook method after_provision on Host::Managed
2019-09-13T16:50:04 [D|app|8c1ce] custom hook before_provision on hotspot-1329601.frederix-hotspot.de will be executed if defined.
2019-09-13T16:50:04 [D|app|8c1ce] Observed after_provision hook on hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:04 [D|app|8c1ce] Running 3 hooks for Host::Managed#after_provision
2019-09-13T16:50:04 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/10_print_label.sh after_provision hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:05 [D|app|8c1ce] Hook output: ftp: connect: Permission denied
2019-09-13T16:50:05 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/20_log.sh after_provision hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:05 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/hook_functions.sh after_provision hotspot-1329601.frederix-hotspot.de

I also think about automate adding new host to check_mk monitoring tool. I can do it easily with curl (curl "https://my_check_mk_url/prod/check_mk/webapi.py?action=add_host&_username=api&_secret=***********") but i'm afraid selinux will prevent that too

[ron7000]

in /etc/selinux/config that is where selinux is told to be in either enforcing, permissive, disabled mode. By default it's turned on (enforcing) and everything is blocked unless there's an selinux exception (rule) in place allowing it.

general procedure is have selinux enforcing, if something doesn't work then look in the audit log /var/log/audit for telltale signs selinux blocked something.

one option is set selinux to permissive in the config file, this is like selinux being disabled but when it would have blocked something it does not but just prints the messages in the audit log. It is not recommended to "disable" selinux but instead do "permissive". So you can turn off selinux by setting it to permissive which will allow whatever you were doing to not get blocked.

https://wiki.centos.org/HowTos/SELinux

https://docs.fedoraproject.org/en-US/qu ... and-modes/


sorry, i don't know enough how to tell u how to edit the selinux policy. I've only had to do it for samba which is explained in /etc/samba/smb.conf.example. But because u said ftp, there are selinux booleans and there are a few related to FTP one of which is "ftp_home_dir" and by default is off (all ftp selinux stuff is probably off by default). So it may be a simple matter of turning on some selinux booleans...

Code: Select all

getsebool -a | less
getsebool ftp_home_dir
setsebool ftp_home_dir on

[TrevorH]

one option is set selinux to permissive in the config file

Don't. If you need to go permissive then you can just run setenforce 0 to do so.

[hunter86_bg]

I agree with TrevorH.

Just set to permissive one time via:

Code: Select all

setenforce 0

Then run a job or two , in order to get the necessary info in the /var/log/audit/audit.log.
Next step is to analyze that. I prefer using "sealert" as it's quite easy to use.

Code: Select all

yum whatprovides "*/sealert"

setroubleshoot-server-3.2.30-3.el7.x86_64 : SELinux troubleshoot server
Repo        : base
Matched from:
Filename    : /usr/bin/sealert



setroubleshoot-server-3.2.30-3.el7.x86_64 : SELinux troubleshoot server
Repo        : @base
Matched from:
Filename    : /usr/bin/sealert

Then just install it and analyze the logs.

Code: Select all

yum install setroubleshoot-server ; sealert -a /var/log/audit/audit.log

Notice the confidence level (in percent) and if further help is needed - post in the forum.

P.S.: Don't forget to enable SELINUX and test your changes afterwards!!!