Bug 1200722
Summary: | Apache httpd getattr denial on RHEL7 after restart of Pulp | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Tazim Kolhar <tkolhar> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1.0 | CC: | bmbouter, cwelton, daviddavis, dkliban, ggainey, ipanova, mhrivnak, pcreech, rchan, tkolhar, ttereshc |
Target Milestone: | Unspecified | Keywords: | Reopened |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-12 13:55:22 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Zapletal
2015-03-11 09:42:44 UTC
Cloned upstream: https://pulp.plan.io/issues/748 This bug also needs to have the external tracker set to 'Pulp Redmine' with the bug number 748. We see additional permission (read) there. It is not just getattr: time->Thu Mar 12 23:32:16 2015 type=SYSCALL msg=audit(1426217536.911:540): arch=c000003e syscall=2 success=no exit=-13 a0=7f43b5e05af8 a1=0 a2=1b6 a3=0 items=0 ppid=5584 pid=5623 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1426217536.911:540): avc: denied { read } for pid=5623 comm="httpd" name="webservices.wsgi" dev="dm-0" ino=135939728 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file This is caused by pulp selinux module not being loaded on RHEL7: RHEL6: [root@dell-pem710-01 ~]# semanage fcontext -l | grep pulp /etc/pki/pulp(/.*)? all files system_u:object_r:pulp_cert_t:s0 /etc/pulp(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/pulp(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /var/log/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 [root@dell-pem710-01 ~]# semodule -l | grep pulp pulp-celery 2.6.0 pulp-server 2.6.0 RHEL7: [root@dell-pe2900-01 ~]# semanage fcontext -l | grep pulp [root@dell-pe2900-01 ~]# semodule -l | grep pulp [root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-celery.pp libsepol.permission_copy_callback: Module pulp-celery depends on permission kill in class system, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! [root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-server.pp libsepol.permission_copy_callback: Module pulp-server depends on permission kill in class system, not satisfied (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! Ok this was caused by the fact that we build on RHEL 7.1 but test on RHEL 7.0. My fault, I thought I test on 7.1, but apparently now. *** Bug 1201802 has been marked as a duplicate of this bug. *** *** Bug 1201802 has been marked as a duplicate of this bug. *** The Pulp upstream bug status is at NEW. Updating the external tracker on this bug. The Pulp upstream bug priority is at High. Updating the external tracker on this bug. The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug. QA: To test this, verify Sat 6.1 installs on RHEL 7.1 and does *not* install on RHEL 7.0 (error in dependencies). No code changes are necessary since foreman-selinux will not install on RHEL 7.0 therefore Satellite 6.1 itself will not install as well (thus Pulp too). VERIFIED : # rpm -qa | grep foreman qe-sat6-rhel71.usersys.redhat.com-foreman-client-1.0-1.noarch qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-1.0-1.noarch ruby193-rubygem-foreman_docker-1.2.0.7-1.el7sat.noarch rubygem-hammer_cli_foreman_discovery-0.0.1.4-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch foreman-compute-1.7.2.15-1.el7sat.noarch foreman-vmware-1.7.2.15-1.el7sat.noarch ruby193-rubygem-foreman_discovery-2.0.0.9-1.el7sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.5-1.el7sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch foreman-1.7.2.15-1.el7sat.noarch foreman-ovirt-1.7.2.15-1.el7sat.noarch rubygem-hammer_cli_foreman-0.1.4.7-1.el7sat.noarch foreman-proxy-1.7.2.4-1.el7sat.noarch qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch foreman-postgresql-1.7.2.15-1.el7sat.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch foreman-selinux-1.7.2.13-1.el7sat.noarch foreman-gce-1.7.2.15-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.3-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.3-1.el7sat.noarch foreman-debug-1.7.2.15-1.el7sat.noarch foreman-libvirt-1.7.2.15-1.el7sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.10-1.el7sat.noarch # rpm -qa | grep pulp-selinux pulp-selinux-2.6.0.1-1.beta.1.el7sat.noarch # semanage fcontext -l | grep pulp /etc/pki/pulp(/.*)? all files system_u:object_r:pulp_cert_t:s0 /etc/pulp(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /srv/pulp(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /var/log/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 # semodule -l | grep pulp pulp-celery 2.6.0.1 pulp-server 2.6.0.1 # semodule -i /usr/share/selinux/targeted/pulp-celery.pp # Adding mhrivnak to cc list The Pulp upstream bug status is at NEW. Updating the external tracker on this bug. This bug is slated to be released with Satellite 6.1. This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015. The Pulp upstream bug status is at CLOSED - WORKSFORME. Updating the external tracker on this bug. |