Bug 2232162
| Summary: | avc denial when importing templates to a local directory using API | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Peter Ondrejka <pondrejk> |
| Component: | Templates Plugin | Assignee: | Adam Lazik <alazik> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Peter Ondrejka <pondrejk> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.14.0 | CC: | alazik, aruzicka, egolov, ekohlvan, lzap, rlavi |
| Target Milestone: | 6.14.0 | Keywords: | AutomationBlocker, Documentation, Regression, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-10-17 12:29:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Peter Ondrejka
2023-08-15 16:25:26 UTC
Where does /usr/share/foreman_templates/vTioyEjTKn come from? The /usr/share/foreman_templates/ seems rather odd to me. https://github.com/SatelliteQE/robottelo/blob/8f03eaf9155a6c62cf185bce2c092bb57905606c/robottelo/constants/__init__.py#L1752 https://github.com/SatelliteQE/robottelo/blob/8f03eaf9155a6c62cf185bce2c092bb57905606c/pytest_fixtures/component/templatesync.py#L11-L38 but that doesn't exaplain why it worked before (I would expect it to fail identically on older releases) in upstream bats, we explicitly use a folder underneath /usr/share/foreman/tmp for this test: https://github.com/theforeman/forklift/blob/b807c692bf30c34f3821ef807e9e75d95562c3c2/bats/fb-test-foreman-templates.bats#L9 Ad /usr/share/foreman_templates/vTioyEjTKn, it is just a custom dir the test creates to store templates, I suppose it was inspired by the docs where they use /usr/share/templates_dir/ Good point with the docs. /usr/share/templates_dir/ seems also odd, but that's for another BZ. Still, I see no way how foreman_rails_t→httpd_sys_rw_content_t should have worked before. On a 6.13, "selinux_check_access system_u:system_r:foreman_rails_t:s0 unconfined_u:object_r:httpd_sys_rw_content_t:s0 dir getattr" is happy.
On an upstream Katello 4.9 box, I get:
$ selinux_check_access system_u:system_r:foreman_rails_t:s0 unconfined_u:object_r:httpd_sys_rw_content_t:s0 dir getattr
avc: denied { getattr } for scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0
selinux_check_access: Permission denied
Now, go figure why /me scratches head
Aha, I think it's because of https://github.com/Katello/katello-selinux/commit/795588bb01a03d8d5b397e509dbc386cc5f5ec83 Now, I wonder what the correct fix should be. Allowing httpd_sys_rw_content_t again or using a different label for the files? httpd_sys_rw_content_t seems like the wrong context for the foreman_templates files -- maybe foreman_lib_t would be correct? Feels like a documentation bug to me. I'd expect that if you use /var/lib/foreman/templates instead of /usr/share/template_dir you don't need to mess with SELinux at all. If we change just the docs, we also need to warn users to move their templates to the new recommended location after the upgrade. I'd prefer not to break the old set-ups if we can solve it with labels I agree that httpd_sys_rw_content_t is some sort of a typo. Any context which foreman domain can read/write would be fine. What Ewoud recommends is the best solution I think as files will automatically have the correct context by default. We discussed that BZ during Platform triage yesterday and came to the following result: - users need put the templates somewhere where Foreman can read them (file permissions and selinux wise) - httpd_sys_rw_content_t was an obstacle, and the wrong label to begin with - foreman_lib_t is the correct label for such content That means: - if users put their templates in /var/lib/foreman/<something nice> it will get labeled correctly automatically - if they put them somewhere else, they need to ensure the right (foreman_lib_t) SELinux label is applied Therefore please update the docs to recommend a place in /var/lib/foreman and point out that other places need correct labeling. As for existing setups: we decided against a release-note for this, this BZ should be sufficient to find the error message and the pointer at the updated docs. Created PR with the suggested changes: https://github.com/theforeman/foreman-documentation/pull/2414 The entire chapter has been restructured. As a part of these changes, users are now instructed to use the correct directory `/var/lib/foreman/`. Link to the new docs: 6.13: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.13/html-single/managing_hosts/index#Synchronizing_Templates_Repositories_managing-hosts 6.12: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html-single/managing_hosts/index#Synchronizing_Templates_Repositories_managing-hosts 6.11: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/managing_hosts/index#Synchronizing_Templates_Repositories_managing-hosts |