Bug 2223069
Summary: | Selinux denials are reported after following "Chapter 13. Managing Custom File Type Content" chapter step by step | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> | |
Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> | |
Status: | CLOSED MIGRATED | QA Contact: | Shweta Singh <shwsingh> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 6.13.1 | CC: | ahumbe, dalley, egolov, osousa, rlavi, shwsingh, zhunting | |
Target Milestone: | Unspecified | Keywords: | MigratedToJIRA, Regression, Triaged | |
Target Release: | Unused | Flags: | shwsingh:
needinfo?
(dalley) shwsingh: needinfo? (dalley) |
|
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | pulpcore-selinux-2.0.0 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2250343 (view as bug list) | Environment: | ||
Last Closed: | 2024-06-06 16:24:35 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 2263815 | |||
Bug Blocks: |
Description
Sayan Das
2023-07-15 06:45:17 UTC
This ought to be addressed now via https://github.com/pulp/pulpcore-selinux/pull/69 However this line from the description confuses me: "For users upgrading from Satellite 6.9, They would have an additional rule in place which a newly install Sat 6.10\11\12\13 would never have" If we're shipping the selinux policy in a package alongside Satellite, how would users that upgraded from 6.9 have a rule in place that new installations would not? Wouldn't the selinux policy have been swapped wholesale? Where do these remanents come from? Yeah, I would expect it to happen in that way only i.e. existing policies should be overwritten with newer ones. But It seems the following remains intact from 6.9, even if that satellite\capsule has been upgraded to 6.11\6.12\6.13 /var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 Maybe the postinstall scriptlet of pulpcore-selinux requires some modifications here ? Dennis makes the point that "pulpcore-selinux policy is distinct from the pulp-selinux policy that shipped with pulp 2 so it's possible that the old selinux policy was still installed" It doesn't look like the specfile declares any obsoletes on the old package, so that sounds plausible. Very much possible as Sat 6.9 is shipped with both pulp-selinux (Pulp2) and pulpcore-selinux (Pulp3) but that means, the pre/postuninstall scriptlet of pulp-selinux never removed the existing policies. # rpm -q --scripts pulp-selinux preinstall scriptlet (using /bin/sh): # Record old version so we can limit which restorecon statement are executed later test -e /var/lib/rpm-state/pulp || mkdir -p /var/lib/rpm-state/pulp oldversion=$(rpm -qa pulp-selinux) echo ${oldversion:13} > /var/lib/rpm-state/pulp/old-version exit 0 postinstall scriptlet (using /bin/sh): # Enable SELinux policy modules if /usr/sbin/selinuxenabled ; then /usr/share/pulp/selinux/server/enable.sh /usr/share fi # restorcecon wasn't reading new file contexts we added when running under 'post' so moved to 'posttrans' # Spacewalk saw same issue and filed BZ here: https://bugzilla.redhat.com/show_bug.cgi?id=505066 preuninstall scriptlet (using /bin/sh): # Clean up after package removal if [ $1 -eq 0 ]; then /usr/share/pulp/selinux/server/uninstall.sh /usr/share/pulp/selinux/server/relabel.sh rm -r /var/lib/rpm-state/pulp fi exit 0 posttrans scriptlet (using /bin/sh): if /usr/sbin/selinuxenabled ; then cat /var/lib/rpm-state/pulp/old-version | xargs /usr/share/pulp/selinux/server/relabel.sh rm /var/lib/rpm-state/pulp/old-version fi # cat /usr/share/pulp/selinux/server/uninstall.sh #!/bin/sh PACKAGE_NAMES=( "pulp-celery" "pulp-server" ) SELINUX_VARIANTS="targeted" MODULE_TYPE="apps" INSTALL_DIR="/usr/share" for NAME in ${PACKAGE_NAMES[@]} do for selinuxvariant in ${SELINUX_VARIANTS} do /usr/sbin/semodule -s ${selinuxvariant} -r ${NAME} &> /dev/null || : rm -f ${INSTALL_DIR}/${selinuxvariant}/${NAME}.pp done done FailedQA Version Tested: Satellite 6.15.0 Snap 8.0 "python311-pulp_manifest" package is missing in 6.15.0 and this is a blocker for verifying this Bug https://bugzilla.redhat.com/show_bug.cgi?id=2223069. Instead of marking this failed, shouldn't we create a brand new blocking packaging BZ? The packaging team isn't going to know to look at this one. FailedQA Version Tested: Satellite 6.15.0 Snap 10.1 Verification Steps: 1. Follow steps mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2223069#c0 Observation: 1. auditd reports the denial as "permissive=1" even though selinux is in enforcing mode. 2. The denial happens as pulpcore_t trying to ioctl access on var_lib_t and that is not allowed. I'm looking into this. In the interim, I would NOT recommend holding up the release, as this is only a cosmetic issue as-described. This bug is a regression on 6.15.0 as we don't see the denials on 6.14.3. @Shweta this is a new test run on 6.14.3, or are you referring to the one done to verify the clone? ^ @dalley This is (failed to)verified on 6.15.0. We have a clone of this BZ on 6.14.3 which is working as expected. So I am assuming that this is regression on 6.15.0. @dalley This is (failed to)verified on 6.15.0. We have a clone of this BZ on 6.14.3 which is working as expected. So I am assuming that this is regression on 6.15.0. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. |