Bug 784280
| Summary: | SELinux denials during system cli test | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> |
| Component: | Packaging | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Sachin Ghai <sghai> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.0 | CC: | bkearney, gkhachik, jmatthew, sghai |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-22 18:22:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 747354 | ||
more denials on generating package metadata:
---
type=AVC msg=audit(1327660258.845:157981): avc: denied { search } for pid=13209 comm="genpkgmetadata." name="rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660258.852:157982): avc: denied { getattr } for pid=13209 comm="genpkgmetadata." path="/var/lib/rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660258.853:157983): avc: denied { open } for pid=13209 comm="genpkgmetadata." name="Packages" dev=dm-0 ino=22413353 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1327660401.732:158334): avc: denied { open } for pid=16251 comm="genpkgmetadata." name="Packages" dev=dm-0 ino=22413353 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1327660454.748:158447): avc: denied { search } for pid=17593 comm="genpkgmetadata." name="rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660454.749:158448): avc: denied { getattr } for pid=17593 comm="genpkgmetadata." path="/var/lib/rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
---
reproducer: make a repo sync (like: http://repos.fedorapeople.org/repos/pulp/pulp/6Server/x86_64/) Would you paste the filecontexts on this directory: /var/lib/pulp ? We want to see something like: $ ls -Z /var/lib/pulp/ drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 distributions drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 files -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxrwsrwx. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 meliae drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins drwxrwsr-t+ apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 repos -rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads All the files under /var/log/pulp should be labeled with "httpd_sys_rw_content_t" dump is: --- ls -Z /var/lib/pulp/ drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 distributions -rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 repos -rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat --- This is my understanding of the issue: 1) When running createrepo we are seeing some AVCs. 2) Functionality is working as expected. 3) The AVC looks to be related to interaction with the rpm database, most likely an initialization of a class in createrepo. I see this AVC on el6, I have not seen it on Fedora-14. I am not aware of any loss of functionality. @John - Correct me if I am wrong, so we are fine. When we put Katello to "enforcing" nothing bad happens in this case. Sounds good. Lukas, Yes, I think we will be OK with "enforing" enabled. I've tested on a el6 guest, had SELinux enforcing enabled. I saw the AVC about denying access to /var/lib/rpm/Packages but the repo metadata was successfully generated. Still looking into how to clean this up so the AVC doesn't happen in the first place. Our plan is: Short term fix: Added a dontaudit rule to Pulp's SELinux policy to silence the AVCs. Committ: http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=4af7ef2d65cf6e3d194565e6d7d12f95d1c5a1af Long term fix: Code change in createrepo to avoid the denials. We've filed bug 786097 to track the change request on createrepo. Many thanks John! I am setting Katello to Enforcing now. Verified with following CFSE build. [root@perceptor ~]# rpm -qa | grep -ie katello-0 -ie katello-cli katello-0.1.304-1.el6.noarch katello-cli-common-0.1.105-1.el6.noarch katello-cli-0.1.105-1.el6.noarch No avc denial messages while creating/syncing repo: ========================================= katello> repo create --name pulp_64 --org ACME_Corporation --product pulp --url http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/6Server/x86_64/ Successfully created repository [ pulp_64 ] katello> repo synchronize --name pulp_64 --org ACME_Corporation --product pulp Repo [ pulp_64 ] synced katello> exit [root@perceptor ~]# cat /var/log/audit/audit.log | grep avc* [root@perceptor ~]# cat /var/log/audit/audit.log | grep avc [root@perceptor ~]# getenforce Enforcing [root@perceptor ~]# [root@perceptor ~]# ls -Z /var/lib/pulp/ drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 distributions -rw-r--r--. root root unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 repos [root@perceptor ~]# promoted the product to next env and didn't see any avc denial messages: katello> changeset create --org ACME_Corporation --name pulpy --env dev Successfully created changeset [ pulpy ] for environment [ dev ] katello> changeset update --name pulpy --org ACME_Corporation --env dev --add_product pulp Successfully updated changeset [ pulpy ] katello> changeset promote --name pulpy --org ACME_Corporation --env dev Changeset [ pulpy ] promoted katello> exit [root@perceptor ~]# cat /var/log/audit/audit.log | grep avc[root@perceptor ~]# getenforce Enforcing [root@perceptor ~]# Keeping it still on_qa to perform few more test. Will move to verified if everything goes well. Performed more tests via cli on CFSE build (katello-0.1.304-1.el6.noarch), no avc denials found, so moving this to verified. |
type=AVC msg=audit(1327401093.293:28): avc: denied { write } for pid=1010 comm="restorecon" path="/root/install-katello.log" dev=vda2 ino=20230 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file type=AVC msg=audit(1327401600.821:122): avc: denied { read write } for pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1327401600.960:123): avc: denied { getattr } for pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1327401602.251:126): avc: denied { write } for pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1327401702.841:207): avc: denied { read write } for pid=4365 comm="httpd" path="/tmp/puppet20120124-1864-hd20kh-0" dev=vda2 ino=22193 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file type=AVC msg=audit(1327402217.468:236): avc: denied { read } for pid=4920 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file type=AVC msg=audit(1327409431.774:305): avc: denied { read } for pid=26704 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file type=AVC msg=audit(1327409466.077:313): avc: denied { read } for pid=27259 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file