Bug 2051522
Summary: | pulpcore_t and pulpcore_server_t domains are prevented to access httpd_config_t files | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.11.0 | CC: | ehelms, ggainey, mdepaulo |
Target Milestone: | 6.11.0 | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pulpcore-selinux-1.3.0 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-07-05 14:32:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Lukas Pramuk
2022-02-07 12:28:11 UTC
# grep avc /var/log/audit/audit.log* type=AVC msg=audit(1643977935.648:127): avc: denied { read } for pid=1664 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.648:127): avc: denied { open } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.673:128): avc: denied { getattr } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.673:129): avc: denied { ioctl } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.664:130): avc: denied { search } for pid=1318 comm="pulpcore-worker" name="certs" dev="vda1" ino=151037453 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1643977935.664:130): avc: denied { read } for pid=1318 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.664:130): avc: denied { open } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.673:131): avc: denied { getattr } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1643977935.673:132): avc: denied { ioctl } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 This is fixed upstream in pulpcore-selinux 1.3.0: https://github.com/pulp/pulpcore-selinux/releases/tag/1.3.0 VERIFIED.
@Satellite 6.11.0 Snap16
pulpcore-selinux-1.3.0-1.el7pc.x86_64
by the following manual reproducer:
# grep avc.*pulpcore /var/log/audit/audit.log*
<empty>
>>> there are no pulpcore related selinux denials
However, on RHEL8 there are still some *other* pulpcore related denials: pulpcore_t and pulpcore_server_t domains are prevented to access unconfined_service_t:key => BZ#2077017 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498 |