Bug 1191504
| Summary: | AVC Denials trying to publish a content view | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
| Component: | Packaging | Assignee: | Jason Montleon <jmontleo> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Hutař <jhutar> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1.0 | CC: | bbuckingham, bkearney, cwelton, lzap, mmccune, riehecky |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-12 05:24:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1192447 | ||
| Bug Blocks: | |||
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Hey,
for some reason we are missing the following rules:
allow celery_t puppet_etc_t:lnk_file create;
manage_dirs_pattern(celery_t, puppet_etc_t, puppet_etc_t)
manage_files_pattern(celery_t, puppet_etc_t, puppet_etc_t)
I see those in the upstream pulp policy and I also see a boolean flag which is being turned on by our installer:
semanage boolean -l | grep pulp
pulp_manage_puppet (on , on) pulp_manage_puppet
The bug stems from the fact that the moment celery policy is being loaded puppet policy is not yet loaded. We need to load it first. A patch into pulp will follow, but I am not able to workaround this in Satellite 6, therefore we need to backport this into celery policy. I will switch over this to Pulp component once confirmed.
QA: To VERIFY this bug:
1) install pulp with SELinux package
2) check that "semanage boolean -l | grep pulp" shows "on + on"
3) check that "sesearch -A -s celery_t -C | grep manage" actually lists some rules (should not be empty)
FYI it is this block which is being ignored by optional_policy: https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-celery.te#L122-L130 So either the puppet was missing and the solution would be to do this in the enable.sh script: (semodule -l | grep -qE '^puppet\s+') && semodule -i puppet But in that case I'd expect it to fail in the require { type puppet_etc_t } section rather than the optional block. OR There is a bug in the optional block so the policy wont compile it. To fix this remove the optional block, try to recomile if there is a syntax error. I removed the optional block and it compiles just fine on my system. The problem must be that you don't have puppet module loaded when COMPILING the stuff in brew. Can you check this and make sure it is being loaded? As I understand it optional policies are compiled with the normal SELinux policy, but they can be enabled/disabled using `semanage boolean`. Here [0] are the upstream Pulp docs that talk about this area of the SELinux policy. [0]: http://pulp-puppet-dev-guide.readthedocs.org/en/latest/plugin_conf.html#install-distributor Ok I was wrong. https://github.com/pulp/pulp/commit/a3e8a2464f2939fade6f2a79d4680e03aa53e7b1 Backport this patch into branch/release we base Satellite 6.2 pulp off. This has nothing to do with optional_blocks. It is as simple as that. But please doublecheck you correctly require this: Requires(post): selinux-policy-targeted >= 3.12.1-74 From the pulp.spec I can only tell that this require is present only for Fedoras. We need it for RHEL as well. I suggest to ship .te files along with policy for better transparency either directly with pulp-selinux (that's what we do in our packages) or in the -doc subpackage. Reproducer without Satellite 6.2: A) semanage boolean -m --on pulp_manage_puppet B) sesearch -A -s celery_t -t puppet_etc_t The last commant shows no rules. Expected: At least three rules there. Putting this back to Satellite so that downstream can track it. Please open a new bug or clone this one against the Pulp product. The satellite bug needs to be blocked by the Pulp bug. The Pulp bug needs reproducer steps that involve non-satellite things. The Pulp bug should not contain the 'Triaged' keyword. Also the satellite BZ needs to get put onto the right satellite tracker, but that is a downstream concern. That should ensure that its included by rel-eng. So for the Pulp upstream bug, how do I reproduce this with Pulp? If I install Pulp 2.6.0 and run (A) and (B) I'll see no denials because I haven't asked Pulp to do anything yet. There does seem like Pulp needs to make a SELinux adjustment, but but I'm not sure what the actual bug symptom is in Pulp terms. Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. Hey, you followed reproducer steps correctly, but with wrong Pulp version. Satellite 6.1 ships with pulp-2.5.0, that's what I see in our downstream repo. Try that again with the correct version. Filed: https://bugzilla.redhat.com/show_bug.cgi?id=1192447 Please s/6.2/6.1/g - I am talking about 6.1 here. My mind a bit too ahead :-) We are getting 2.6 in the next snap and I updated the Summary to accurately reflect the bug vs the solution Moving this to ON_QA. This bug is slated to be released with Satellite 6.1. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592 |
Description of problem: I see AVC when publishing content-view: denied { write } for pid=6750 comm="python" name="environments" dev=dm-0 ino=394719 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=AVC msg=audit(1423655189.122:781): avc: denied { write } for pid=6750 comm="python" name="environments" dev=dm-0 ino=394719 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1423655189.122:781): arch=c000003e syscall=83 success=no exit=-13 a0=2c3eab0 a1=1ed a2=7f92c3318a08 a3=7fff33f8f658 items=0 ppid=6639 pid=6750 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="python" exe=2F7573722F62696E2F707974686F6E2E237072656C696E6B23202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null) Version-Release number of selected component (if applicable): Satellite-6.1.0-RHEL-6-20150210.0-Satellite-x86_64 candlepin-selinux-0.9.41-1.el6.noarch foreman-selinux-1.7.2.8-1.el6_6sat.noarch libselinux-2.0.94-5.8.el6.x86_64 pulp-selinux-2.5.0-0.7.beta.el6_6sat.noarch selinux-policy-3.7.19-260.el6.noarch How reproducible: always Steps to Reproduce: 1. Install Satellite 6: # katello-installer --foreman-admin-email root@localhost \ --foreman-admin-username <user> --foreman-admin-password <pass> \ --capsule-dns true --capsule-dns-forwarders <ip> \ --capsule-dns-forwarders <ip> --capsule-dns-interface virbr1 \ --capsule-dns-zone katellolabs.org --capsule-dhcp true \ --capsule-dhcp-interface virbr1 --capsule-tftp true \ --capsule-puppet true --capsule-puppetca true --verbose 2. Create content view with 2 repositories and attempt to publish it: # hammer content-view publish --id 2 Actual results: AVC gets reported although I do not see any breakage (publish task succeeds) Expected results: There should not be any AVC