Bug 1976783

Summary: AVC denials on new instance of 6.10 snap 6
Product: Red Hat Satellite Reporter: Stephen Wadeley <swadeley>
Component: PulpAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Stephen Wadeley <swadeley>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.10.0CC: bmbouter, ggainey, lzap, mdepaulo, mikedep333, osousa, pcreech, rchan, ttereshc
Target Milestone: 6.10.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pulpcore-selinux-1.2.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 14:12:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Wadeley 2021-06-28 08:39:37 UTC 
Description of problem:

On an a new instance of Satellite, created from an image and having undergone change-hostname, AVC denials are seen.

Version-Release number of selected component (if applicable):

testing with new instance of 6.10.0-6.0

~]# rpm -q satellite
satellite-6.10.0-0.3.beta.el7sat.noarch

How reproducible:
not sure

Steps to Reproduce:
1. Create image of satellite
2. Create instance of image
3. Run change hostname script

(the above is summary of SatLab process)

Actual results:

~]# ausearch -m AVC,USER_AVC -ts today
----
time->Mon Jun 28 03:09:00 2021
type=PROCTITLE msg=audit(1624864140.110:120): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25
type=SYSCALL msg=audit(1624864140.110:120): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=1193 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624864140.110:120): avc:  denied  { create } for  pid=1193 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:09:00 2021
type=PROCTITLE msg=audit(1624864140.110:121): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25
type=SYSCALL msg=audit(1624864140.110:121): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffd6e048ad0 a2=15 a3=f0 items=0 ppid=1 pid=1193 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624864140.110:121): avc:  denied  { sendto } for  pid=1193 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1624864140.110:121): avc:  denied  { connect } for  pid=1193 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:09:00 2021
type=PROCTITLE msg=audit(1624864140.603:125): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D
type=SYSCALL msg=audit(1624864140.603:125): arch=c000003e syscall=4 success=no exit=-2 a0=7f48312c1d00 a1=7ffcd8383a10 a2=7ffcd8383a10 a3=1 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624864140.603:125): avc:  denied  { search } for  pid=1151 comm="gunicorn" name="httpd" dev="vda1" ino=75586928 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
----
time->Mon Jun 28 03:09:01 2021
type=PROCTITLE msg=audit(1624864141.353:127): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D
type=SYSCALL msg=audit(1624864141.353:127): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624864141.353:127): avc:  denied  { create } for  pid=1151 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:09:01 2021
type=PROCTITLE msg=audit(1624864141.354:128): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D
type=SYSCALL msg=audit(1624864141.354:128): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffcd8389b70 a2=15 a3=b10 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624864141.354:128): avc:  denied  { sendto } for  pid=1151 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1624864141.354:128): avc:  denied  { connect } for  pid=1151 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:36:02 2021
type=PROCTITLE msg=audit(1624865762.890:792): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25
type=SYSCALL msg=audit(1624865762.890:792): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9296 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624865762.890:792): avc:  denied  { create } for  pid=9296 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:36:02 2021
type=PROCTITLE msg=audit(1624865762.891:793): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25
type=SYSCALL msg=audit(1624865762.891:793): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fffc4774010 a2=15 a3=f0 items=0 ppid=1 pid=9296 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624865762.891:793): avc:  denied  { sendto } for  pid=9296 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1624865762.891:793): avc:  denied  { connect } for  pid=9296 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:36:04 2021
type=PROCTITLE msg=audit(1624865764.231:799): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D
type=SYSCALL msg=audit(1624865764.231:799): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9404 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624865764.231:799): avc:  denied  { create } for  pid=9404 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Mon Jun 28 03:36:04 2021
type=PROCTITLE msg=audit(1624865764.231:800): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D
type=SYSCALL msg=audit(1624865764.231:800): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffcc3f4c270 a2=15 a3=b10 items=0 ppid=1 pid=9404 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1624865764.231:800): avc:  denied  { connect } for  pid=9404 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
[root@dhcp-3-76 ~]# 

Expected results:

no AVCs
Comment 1 Lukas Zapletal 2021-06-28 12:10:41 UTC 
These are all pulp-related services, flipping over to the Pulp component as the team maintains the policy themselves.

What would be useful is to turn it into permissive mode, install SELinux development tools and then:

sepolgen-ifgen
audit2allow -Ral

To generate reverse rules to see them, thanks!
Comment 6 Stephen Wadeley 2021-06-29 17:41:30 UTC 
(In reply to Lukas Zapletal from comment #1)
> These are all pulp-related services, flipping over to the Pulp component as
> the team maintains the policy themselves.
> 
> What would be useful is to turn it into permissive mode, install SELinux
> development tools and then:
> 
> sepolgen-ifgen
> audit2allow -Ral
> 
> To generate reverse rules to see them, thanks!


 ~]# sepolgen-ifgen
 ~]# audit2allow -Ral

require {
	type pulpcore_server_t;
	class unix_dgram_socket { connect create };
}

#============= pulpcore_server_t ==============
allow pulpcore_server_t self:unix_dgram_socket { connect create };
apache_search_config(pulpcore_server_t)
kernel_dgram_send(pulpcore_server_t)


Thank you
Comment 10 Brad Buckingham 2021-08-11 13:02:09 UTC 
Another bz related to SELinux is bug 1991030.
Comment 12 Mike DePaulo 2021-08-23 13:28:25 UTC 
My proposed fix is here (Thank you Lukas, but I made additions per below):

After investigation, I determined that:
1. This is unrelated to the change in hostname.
2. This did not occur in pulp_installer because our service files do not have type=notify
I created a PR so that it does: https://github.com/pulp/pulp_installer/pull/735
3. There is another denial, present on both my test system and on evgeni's Katello system [1].
4. This creates a need for sendto and kernel_t in the auto-generated policy:
require {
	type kernel_t;
	type pulpcore_server_t;
	class unix_dgram_socket { connect create sendto };
}

My proposed fix is here:
https://github.com/pulp/pulpcore-selinux/pull/37


[1] type=AVC msg=audit(1626392980.545:2751): avc:  denied  { sendto } for  pid=31039 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Comment 16 pulp-infra@redhat.com 2021-08-24 17:14:52 UTC 
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
Comment 17 pulp-infra@redhat.com 2021-08-24 17:14:53 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 18 Mike DePaulo 2021-08-24 20:52:32 UTC 
Upstream released:

https://github.com/pulp/pulpcore-selinux/releases/tag/1.2.5
Comment 19 Mike DePaulo 2021-08-24 20:54:49 UTC 
Note that there was much discussion of the nature of the bug and how to properly fix it, and it was conducted on the upstream PR:
https://github.com/pulp/pulpcore-selinux/pull/37

Note that pulp_installer will utilize Type=notify from now on:
https://github.com/pulp/pulp_installer/pull/735
Comment 20 pulp-infra@redhat.com 2021-08-24 21:07:12 UTC 
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
Comment 23 pulp-infra@redhat.com 2021-10-11 21:07:28 UTC 
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Comment 24 pulp-infra@redhat.com 2021-10-11 21:07:30 UTC 
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Comment 27 errata-xmlrpc 2021-11-16 14:12:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702