Bug 2029385
| Summary: | selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Evgeni Golov <egolov> |
| Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Lai <ltran> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.11.0 | CC: | dkliban, ggainey, lzap, mdepaulo, mmalik, rchan, swadeley |
| Target Milestone: | 6.11.0 | Keywords: | SELinux, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pulpcore-selinux-1.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-05 14:30:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe that various *.key files are mislabeled. Directories which contain certificates and key files usually have the cert_t label. Does the scenario work when you label the /etc/pulp/certs directory and its content as cert_t? # chcon -R -t cert_t /etc/pulp/certs I don't have the machine at hand, so can't check right now, but I think there are no other files in that directory? (In reply to Evgeni Golov from comment #3) > I don't have the machine at hand, so can't check right now, but I think > there are no other files in that directory? Yes, no other files. [root@xxxx ~]# ls -laZ /etc/pulp/certs total 4 drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 43 Feb 17 13:20 . drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0 38 Feb 21 04:58 .. -rw-r-----. 1 root pulp system_u:object_r:httpd_config_t:s0 45 Feb 17 13:20 database_fields.symmetric.key [root@xxxx ~]# The upstream issue has no one assigned, lets ask @mdepaulo if this is on his list Thank you This is fixed in pulpcore-selinux 1.3.0. Steps to retest: 1. spin up fresh 6.11 2. import manifest 3. sync a few rhel repos 4. create cv and add repos to it 5. publish cv 6. check log for denial for database_fields.symmetric.key Expected: There shouldn't be any denials from database_fields.symmetric.key Actual: There is no denial for database_fields.symmetric.key Verified on 6.11_017 with pulpcore-selinux-1.3.0-1.el8pc.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498 |
Description of problem: With pulp 3.16+, there is a new key on disk (/etc/pulp/certs/database_fields.symmetric.key) which needs to be accessed by pulp, but I see denials in the logs: type=AVC msg=audit(1638468789.727:125): avc: denied { search } for pid=1337 comm="pulpcore-worker" name="certs" dev="vda1" ino=71561290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1638468789.727:125): avc: denied { read } for pid=1337 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.727:125): avc: denied { open } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.746:126): avc: denied { getattr } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.746:127): avc: denied { ioctl } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.915:129): avc: denied { read } for pid=1558 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.915:129): avc: denied { open } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.916:130): avc: denied { getattr } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.917:131): avc: denied { ioctl } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.345:839): avc: denied { read } for pid=19219 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.345:839): avc: denied { open } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.346:840): avc: denied { getattr } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.346:841): avc: denied { ioctl } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:842): avc: denied { read } for pid=19240 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:842): avc: denied { open } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:843): avc: denied { getattr } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:844): avc: denied { ioctl } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): 7.0 snap 1 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: see above Expected results: no denials Additional info: I don't think we currently encrypt any DB fields, so it's not fatal, but still…