Bug 1716973
| Summary: | Denials for qpidd when configured for Satellite 6.6 on RHEL8 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Lukas Zapletal <lzap> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified |
| Target Release: | 8.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:11:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixes in Fedora:
commit 8e3effc1615f7f47cd58a137438b932fc50e2c28 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Wed Jun 5 11:23:03 2019 +0200
Allow qpidd_t domain to getattr all fs_t filesystem and mmap usr_t files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Hey, [root@pipeline-satellite-6-6-rhel8 vagrant]# ausearch -m AVC | grep qpidd type=SYSCALL msg=audit(1559639047.796:3738): arch=c000003e syscall=137 success=yes exit=0 a0=55734993fce8 a1=7ffda3aa3740 a2=55734992b120 a3=7fa50cde3cc0 items=0 ppid=1 pid=21817 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1559639047.796:3738): avc: denied { getattr } for pid=21817 comm="qpidd" name="/" dev="vda3" ino=128 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 type=SYSCALL msg=audit(1559639047.797:3739): arch=c000003e syscall=9 success=yes exit=140346887987200 a0=0 a1=308 a2=1 a3=2 items=0 ppid=1 pid=21817 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1559639047.797:3739): avc: denied { map } for pid=21817 comm="qpidd" path="/usr/share/p11-kit/modules/p11-kit-trust.module" dev="vda3" ino=67118442 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 [root@pipeline-satellite-6-6-rhel8 vagrant]# audit2allow -aR require { type qpidd_t; } #============= qpidd_t ============== files_mmap_usr_files(qpidd_t) fs_getattr_xattr_fs(qpidd_t) We do have a custom configuration which is: [root@pipeline-satellite-6-6-rhel8 vagrant]# cat /etc/qpid/qpidd.conf | egrep -v '^#' | sort acl-file=/etc/qpid/qpid.acl auth=no interface=lo log-enable=error+ log-to-syslog=yes require-encryption=yes ssl-cert-db=/etc/pki/katello/nssdb ssl-cert-name=broker ssl-cert-password-file=/etc/pki/katello/nssdb/nss_db_password-file ssl-port=5671 ssl-require-client-authentication=yes wcache-page-size=4 [root@pipeline-satellite-6-6-rhel8 vagrant]# cat /etc/qpid/qpid.acl | egrep -v '^#' | sort acl allow all all acl allow katello_agent@QPID access exchange acl allow katello_agent@QPID access method name=create acl allow katello_agent@QPID access queue acl allow katello_agent@QPID consume queue acl allow katello_agent@QPID create queue acl allow katello_agent@QPID publish exchange name=qmf.default.direct acl allow katello_agent@QPID publish exchange routingkey=pulp.task acl deny-log katello_agent@QPID access method name=* acl deny-log katello_agent@QPID all all [root@pipeline-satellite-6-6-rhel8 vagrant]# cat /etc/qpid/qpidc.conf | egrep -v '^#' | sort log-enable=error+ ssl-cert-db=/etc/pki/katello/nssdb ssl-cert-name=broker ssl-cert-password-file=/etc/pki/katello/nssdb/nss_db_password-file ssl-port=5671