Bug 2111570
Summary: | AVC denials noticed for gunicorn process after upgrading the Satellite 6.11 OS from RHEL 7 to RHEL 8 using leapp | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> | |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 6.11.0 | CC: | ahumbe, brant.evans, ehelms, lzap, parmstro, pmendezh, zhunting | |
Target Milestone: | 6.12.0 | Keywords: | Triaged, Upgrades | |
Target Release: | Unused | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | pulpcore-selinux-1.3.2 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2122197 (view as bug list) | Environment: | ||
Last Closed: | 2022-11-16 13:34:51 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Sayan Das
2022-07-27 13:46:04 UTC
Going back a little further, the gunicorn errors show up: [root@sat6 ~]# journalctl -t setroubleshoot --since=06:00 -- Logs begin at Mon 2022-07-25 16:40:54 EDT, end at Wed 2022-07-27 10:14:15 EDT. -- Jul 27 06:00:09 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473> Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc> Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:25 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473> Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc> Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default. Then you should report this as a bug. I am seeing the gunicorn AVC denials as well. [root@satellite ~]# ausearch -m AVC,USER_AVC -ts boot ---- time->Tue Jul 26 16:43:56 2022 type=PROCTITLE msg=audit(1658879036.101:80): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658879036.101:80): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658879036.101:80): avc: denied { read } for pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 ---- time->Tue Jul 26 16:43:56 2022 type=PROCTITLE msg=audit(1658879036.102:81): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658879036.102:81): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658879036.102:81): avc: denied { view } for pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 ---- .... DELETED ADDITIONAL EXAMPLES Running audit2allow shows the missing rule that is needed: [root@satellite ~]# audit2allow -b #============= pulpcore_server_t ============== allow pulpcore_server_t pulpcore_t:key { read view }; VERIFIED.
@Satellite 6.12.0 Snap10
pulpcore-selinux-1.3.2-1.el8pc.x86_64
SanityOnly.
There is no LEAPP upgrade possible for 6.12 which is el8 only
At least I verify the same change set went in:
# semodule_unpackage /usr/share/selinux/targeted/pulpcore.{pp,mod}
# sedismod /usr/share/selinux/targeted/pulpcore.mod
...
Command ('m' for menu): f
Filename for output (<CR> for screen output): out
Output to file: out
Command ('m' for menu): 1
Command ('m' for menu): q
# grep 'allow pulpcore_server_t pulpcore_t' out
allow pulpcore_server_t pulpcore_t : [key] { view read };
>>> the change in selinux policy is present
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8506 |