Bug 2051522
| Summary: | pulpcore_t and pulpcore_server_t domains are prevented to access httpd_config_t files | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
| Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.11.0 | CC: | ehelms, ggainey, mdepaulo |
| Target Milestone: | 6.11.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pulpcore-selinux-1.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-05 14:32:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
# grep avc /var/log/audit/audit.log*
type=AVC msg=audit(1643977935.648:127): avc: denied { read } for pid=1664 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.648:127): avc: denied { open } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.673:128): avc: denied { getattr } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.673:129): avc: denied { ioctl } for pid=1664 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.664:130): avc: denied { search } for pid=1318 comm="pulpcore-worker" name="certs" dev="vda1" ino=151037453 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1643977935.664:130): avc: denied { read } for pid=1318 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.664:130): avc: denied { open } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.673:131): avc: denied { getattr } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1643977935.673:132): avc: denied { ioctl } for pid=1318 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=151037454 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
This is fixed upstream in pulpcore-selinux 1.3.0: https://github.com/pulp/pulpcore-selinux/releases/tag/1.3.0 VERIFIED.
@Satellite 6.11.0 Snap16
pulpcore-selinux-1.3.0-1.el7pc.x86_64
by the following manual reproducer:
# grep avc.*pulpcore /var/log/audit/audit.log*
<empty>
>>> there are no pulpcore related selinux denials
However, on RHEL8 there are still some *other* pulpcore related denials:
pulpcore_t and pulpcore_server_t domains are prevented to access unconfined_service_t:key => BZ#2077017
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498 |
Description of problem: pulpcore_t and pulpcore_server_t domains are prevented to access httpd_config_t files audit.log is being filled with these denials continuously. Version-Release number of selected component (if applicable): Satellite 7.0.0 pulpcore-selinux-1.2.7-1.1.el7pc.x86_64 How reproducible: deterministic Steps to Reproduce: 1. Have a Satellite 2. Check for denials # audit2allow -a #============= pulpcore_server_t ============== allow pulpcore_server_t httpd_config_t:file { getattr ioctl open read }; #============= pulpcore_t ============== allow pulpcore_t httpd_config_t:dir search; allow pulpcore_t httpd_config_t:file { getattr ioctl open read }; Actual results: selinux denials present Expected results: no selinux denials