Bug 2151664 (selinux)
| Summary: | [Sat6.12/SELinux/Bug] Running with SELinux Permissive mode triggers an AVC | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Rajesh Dulhani <rdulhani> |
| Component: | SELinux | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED DUPLICATE | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.12.0 | CC: | aruzicka, peter.vreman |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-18 17:16:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like a duplicate of BZ2218932 so I'll go ahead and close it as such. If you feel the two BZs are distinct enough, feel free to reopen otherwise please follow the other BZ for updates. *** This bug has been marked as a duplicate of bug 2218932 *** |
Description of problem: I enabled SELinux permissive mode as part of my testing for the updated rhel8.7 insights-client. In that testing, an SELinux AVC is triggered between pulp processes. I was able to reproduce it also later by just running 'setenforce Permissive' ~~~ [Azure] vrempet-admin@li-lc-2751 ~ $ sudo aureport -a AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 11/30/2022 07:30:08 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 53512 2. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55518 3. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55519 4. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55520 5. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55521 6. 11/30/2022 09:24:05 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55573 7. 11/30/2022 09:24:05 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55574 8. 11/30/2022 09:24:06 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55575 9. 11/30/2022 09:24:06 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55576 10. 11/30/2022 09:24:20 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55579 11. 11/30/2022 09:24:20 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55580 [Azure] vrempet-admin@li-lc-2751 ~ $ sudo ausearch -i -m avc,user_avc -ts today ---- type=USER_AVC msg=audit(11/30/2022 07:30:08.581:53512) : pid=1127 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=8) exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- type=PROCTITLE msg=audit(11/30/2022 09:23:58.268:55518) : proctitle=/usr/bin/python3.9 /usr/bin/pulpcore-worker type=SYSCALL msg=audit(11/30/2022 09:23:58.268:55518) : arch=x86_64 syscall=keyctl success=yes exit=11 a0=0xb a1=0x1081359d a2=0x0 a3=0x0 items=0 ppid=1363 pid=1334513 auid=unset uid=pulp gid=pulp euid=pulp suid=pulp fsuid=pulp egid=pulp sgid=pulp fsgid=pulp tty=(none) ses=unset comm=pulpcore-worker exe=/usr/bin/python3.9 subj=system_u:system_r:pulpcore_t:s0 key=(null) type=AVC msg=audit(11/30/2022 09:23:58.268:55518) : avc: denied { read } for pid=1334513 comm=pulpcore-worker scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=key permissive=1 ---- type=PROCTITLE msg=audit(11/30/2022 09:23:58.268:55519) : proctitle=/usr/bin/python3.9 /usr/bin/pulpcore-worker type=SYSCALL msg=audit(11/30/2022 09:23:58.268:55519) : arch=x86_64 syscall=keyctl success=yes exit=41 a0=0x6 a1=0x1081359d a2=0x0 a3=0x0 items=0 ppid=1363 pid=1334513 auid=unset uid=pulp gid=pulp euid=pulp suid=pulp fsuid=pulp egid=pulp sgid=pulp fsgid=pulp tty=(none) ses=unset comm=pulpcore-worker exe=/usr/bin/python3.9 subj=system_u:system_r:pulpcore_t:s0 key=(null) type=AVC msg=audit(11/30/2022 09:23:58.268:55519) : avc: denied { view } for pid=1334513 comm=pulpcore-worker scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=key permissive=1 ---- ... [Azure] vrempet-admin@li-lc-2751 ~ $ sudo audit2allow -a #============= pulpcore_t ============== allow pulpcore_t pulpcore_server_t:key { read view }; ~~~ What is the business impact? Please also provide timeframe information. unexpected log entries