1125334 – Package pulp-selinux is installed but not effective

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 1125334 - Package pulp-selinux is installed but not effective

Summary: Package pulp-selinux is installed but not effective

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	rpm-support
Sub Component:
Version:	2.4 Beta
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	2.5.0
Assignee:	Brian Bouterse
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:	1101280 1142881
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-31 15:15 UTC by Lukas Zapletal
Modified:	2014-11-24 21:33 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1101280
Environment:
Last Closed:	2014-11-24 21:33:41 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 1 Lukas Zapletal 2014-07-31 15:18:25 UTC

Please disregard the above description, this is the correct one:

[root@sgi-xe320-01 ~]# rpm -q pulp-selinux
pulp-selinux-2.4.0-0.23.beta.el6sat.noarch
[root@sgi-xe320-01 ~]# ps axuZ | grep pulp
unconfined_u:system_r:initrc_t:s0 apache  7255  1.4  0.0 729864 28872 ?        Sl   Jul30  11:56 /usr/bin/python /usr/bin/celery beat --scheduler=pulp.server.async.scheduler.Scheduler --workdir=/var/lib/pulp/celery/ -f /var/log/pulp/celerybeat.log -l INFO --detach --pidfile=/var/run/pulp/celerybeat.pid
unconfined_u:system_r:initrc_t:s0 apache  7370  0.2  0.1 638724 47824 ?        Sl   Jul30   1:52 /usr/bin/python -m celery.__main__ worker -c 1 -n resource_manager@sgi-xe320-01.rhts.eng.bos.redhat.com --events --app=pulp.server.async.app --loglevel=INFO -Q resource_manager --logfile=/var/log/pulp/resource_manager.log --pidfile=/var/run/pulp/resource_manager.pid
unconfined_u:system_r:initrc_t:s0 apache  7480  0.0  0.1 395860 39460 ?        S    Jul30   0:00 /usr/bin/python -m celery.__main__ worker -c 1 -n resource_manager@sgi-xe320-01.rhts.eng.bos.redhat.com --events --app=pulp.server.async.app --loglevel=INFO -Q resource_manager --logfile=/var/log/pulp/resource_manager.log --pidfile=/var/run/pulp/resource_manager.pid
unconfined_u:system_r:initrc_t:s0 apache  7486  0.2  0.1 638732 51932 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-0@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-0.log --pidfile=/var/run/pulp/reserved_resource_worker-0.pid
unconfined_u:system_r:initrc_t:s0 apache  7513  0.2  0.1 638720 47832 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-1@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-1.log --pidfile=/var/run/pulp/reserved_resource_worker-1.pid
unconfined_u:system_r:initrc_t:s0 apache  7527  0.3  0.4 850448 149760 ?       Sl   Jul30   3:01 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-0@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-0.log --pidfile=/var/run/pulp/reserved_resource_worker-0.pid
unconfined_u:system_r:initrc_t:s0 apache  7536  0.2  0.1 638708 47824 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-2@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-2.log --pidfile=/var/run/pulp/reserved_resource_worker-2.pid
unconfined_u:system_r:initrc_t:s0 apache  7550  0.0  0.1 563428 43056 ?        Sl   Jul30   0:02 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-1@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-1.log --pidfile=/var/run/pulp/reserved_resource_worker-1.pid
unconfined_u:system_r:initrc_t:s0 apache  7567  0.2  0.1 638728 47864 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-3@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-3.log --pidfile=/var/run/pulp/reserved_resource_worker-3.pid
unconfined_u:system_r:initrc_t:s0 apache  7581  0.0  0.1 562844 42852 ?        Sl   Jul30   0:02 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-2@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-2.log --pidfile=/var/run/pulp/reserved_resource_worker-2.pid
unconfined_u:system_r:initrc_t:s0 apache  7590  0.2  0.1 638664 49820 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-4@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-4.log --pidfile=/var/run/pulp/reserved_resource_worker-4.pid
unconfined_u:system_r:initrc_t:s0 apache  7604  0.0  0.3 837116 111868 ?       Sl   Jul30   0:20 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-3@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-3.log --pidfile=/var/run/pulp/reserved_resource_worker-3.pid
unconfined_u:system_r:initrc_t:s0 apache  7622  0.2  0.1 638664 47768 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-5@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-5.log --pidfile=/var/run/pulp/reserved_resource_worker-5.pid
unconfined_u:system_r:initrc_t:s0 apache  7636  0.0  0.1 395848 38760 ?        S    Jul30   0:00 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-4@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-4.log --pidfile=/var/run/pulp/reserved_resource_worker-4.pid
unconfined_u:system_r:initrc_t:s0 apache  7645  0.2  0.1 638700 49852 ?        Sl   Jul30   1:50 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-6@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-6.log --pidfile=/var/run/pulp/reserved_resource_worker-6.pid
unconfined_u:system_r:initrc_t:s0 apache  7659  0.0  0.1 395848 38764 ?        S    Jul30   0:00 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-5@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-5.log --pidfile=/var/run/pulp/reserved_resource_worker-5.pid
unconfined_u:system_r:initrc_t:s0 apache  7676  0.2  0.1 638724 47784 ?        Sl   Jul30   1:51 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-7@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-7.log --pidfile=/var/run/pulp/reserved_resource_worker-7.pid
unconfined_u:system_r:initrc_t:s0 apache  7700  0.0  0.1 562472 42072 ?        Sl   Jul30   0:02 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-6@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-6.log --pidfile=/var/run/pulp/reserved_resource_worker-6.pid
unconfined_u:system_r:httpd_t:s0 apache   7758  0.0  0.2 1070688 74072 ?       Sl   Jul30   0:19 (wsgi:pulp)    
unconfined_u:system_r:initrc_t:s0 apache  7777  0.0  0.1 395848 38760 ?        S    Jul30   0:00 /usr/bin/python -m celery.__main__ worker --events --app=pulp.server.async.app --loglevel=INFO -c 1 -n reserved_resource_worker-7@sgi-xe320-01.rhts.eng.bos.redhat.com --logfile=/var/log/pulp/reserved_resource_worker-7.log --pidfile=/var/run/pulp/reserved_resource_worker-7.pid

It looks like the main process is good:

unconfined_u:system_r:httpd_t:s0 apache   7758  0.0  0.2 1070688 74072 ?       Sl   Jul30   0:19 (wsgi:pulp) 

Although I'd expect something like pulp_t, I am not sure about celery (this seems like pulp component) and possibly others.

Comment 2 Brian Bouterse 2014-09-04 19:03:19 UTC

PR available at:  https://github.com/pulp/pulp/pull/1145

Comment 3 Brian Bouterse 2014-09-04 19:50:08 UTC

To verify this bug there are a few things to check. Here are some steps:

Pre setup before any test area below
1. Ensure pulp-selinux is installed
2. Reboot all pulp_* services

==Ensure the processes are contained==
1. list the celery processes with their SELinux context info included by running `ps -awfuxZ | grep celery`
2. In the output from step 3, verify that each line contains "system_u:system_r:celery_t:s0". The important part is "celery_t".

==Ensure both pulp-server and pulp-celery selinux policies are installed==
1. List the current selinux policies installed and enabled by running: `sudo semodule -l | grep pulp`
2. Verify that the output of step 1 includes "pulp-server 2.5.0" and "pulp-celery 2.5.0"

==Ensure the Uninstall removes pulp-server and pulp-celery==
1. Uninstall pulp-selinux
2. Run `sudo semodule -l | grep pulp`
3. Verify that no output is produced

==Verify everything works==
1. Put selinux into enforcing mode `sudo setenforce 1`
2. Verify that it is in enforcing mode by checking the output is 1 from `sudo getenfroce`
3. Now do everything with pulp ;-)
4. I expect all Pulp operations should work.

Comment 4 Brian Bouterse 2014-09-04 19:51:06 UTC

*correct from the above comment*

Step 2 (at the bottom) should read:  `sudo getenforce`

Comment 5 Brian Bouterse 2014-09-05 17:59:09 UTC

Merged to 2.5-testing -> 2.5-dev -> master

Comment 6 Chris Duryee 2014-09-30 13:52:51 UTC

build: 2.5.0-0.6.beta

Comment 7 Preethi Thomas 2014-10-01 17:26:51 UTC

verified
[root@cloud-qe-15 ~]# rpm -qa pulp-selinux
pulp-selinux-2.5.0-0.6.beta.el7.noarch
[root@cloud-qe-15 ~]# 

Followed https://bugzilla.redhat.com/show_bug.cgi?id=1125334#c3 on el6 & el7

[root@mgmt4 ~]# rpm -qa pulp-selinux
pulp-selinux-2.5.0-0.6.beta.el6.noarch
[root@mgmt4 ~]#

Note You need to log in before you can comment on or make changes to this bug.