Bug 2077017
| Summary: | pulpcore_t and pulpcore_server_t domains are prevented to access unconfined_service_t:key | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
| Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.11.0 | CC: | dalley, lzap, mdepaulo |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-10-19 19:33:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Lukas Pramuk
2022-04-20 13:32:21 UTC
type=AVC msg=audit(1650321566.857:1258): avc: denied { read } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650321566.857:1259): avc: denied { view } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650364777.880:2144): avc: denied { read } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650364777.880:2145): avc: denied { view } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650407988.843:2922): avc: denied { read } for pid=21320 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650407988.843:2923): avc: denied { view } for pid=21320 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650451201.570:3716): avc: denied { read } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
type=AVC msg=audit(1650451201.570:3717): avc: denied { view } for pid=21313 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
Hi, I need the filepath in order to investigate this further. Or access to the system. The filepath can probably be found with `ausearch -m avc`. Adding a needinfo on the reporter based upon comment 3. I can't get a reproducer machine as I'm not able to reproduce on fresh 6.11 EL8. I might reuse some other setup to check for selinux. LEAPPed ? Working on to set it up Lukas, Just reminding you that I can still work on this if you give me a reproducer. Are we able to correlate these warnings with a specific action being performed on the Satellite? Closing this as having insufficient data for now. It may already be resolved if we can't reproduce it and aren't hearing about it :) The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |