Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1192447

Summary: SELinux policy puppet rules are on httpd_t instead of celery_t
Product: [Retired] Pulp Reporter: Lukas Zapletal <lzap>
Component: z_otherAssignee: pulp-bugs
Status: CLOSED CURRENTRELEASE QA Contact: pulp-qe-list
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.5CC: bmbouter, lzap, mmccune, rbarlow
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-13 18:42:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1191504    

Description Lukas Zapletal 2015-02-13 11:37:26 UTC 
Description of problem:

SELinux denials: https://bugzilla.redhat.com/attachment.cgi?id=990429

SELinux policy is not on par with behavior of the application. SELinux policy in 2.5.0 pulp version (which is shipped in Satellite 6.1) assumes that httpd_t does the Puppet manifest writing, but it's actually celery_t domain that does it.

The problem is that this patch needs to be backported into 2.5:

https://github.com/pulp/pulp/commit/a3e8a2464f2939fade6f2a79d4680e03aa53e7b1

I suggest to ship .te files along with policy for better transparency either directly with pulp-selinux (that's what we do in our packages) or in the -doc subpackage.


Version-Release number of selected component (if applicable):
pulp-2.5.0-0.7.beta.el7sat.src.rpm


How reproducible:
Always

Steps to Reproduce:
1. Install Pulp
2. semanage boolean -m --on pulp_manage_puppet
3. Create a puppet repo
4. Upload/sync a puppet manifest (random one)
5. Configure to publish repo in /etc/puppet/modules
6. Publish the repo

Expected: Module is published there.

What happens: SELinux denials

Optionally, you can just issue this:

semanage boolean -m --on pulp_manage_puppet
sesearch -A -s celery_t -t puppet_etc_t

What is expected is to see some SELinux rules there, but currently it shows nothing.

Note: This was FIXED in master, we need to fix older version of Pulp.
Comment 1 Randy Barlow 2015-02-13 15:29:13 UTC 
Lukas,

Satellite 6.1 is supposed to use >= pulp-2.6.0, not 2.5. This issue was fixed in 2.5.0-1 (you seem to be using a beta of 2.5 instead of the release) and should be present in our upcoming 2.6.0 release as well.
Comment 2 Lukas Zapletal 2015-02-13 16:21:51 UTC 
I am fliping the ball on Mike in this regard.

Just to clarify the Pulp upstream issue: what I see in the version 2.5 we are using is that celery_t writes to pulp_etc_t dirs/files. The relevant block is this one:

https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-celery.te#L122-L130

In version 2.5 I see those rules, but for httpd_t domain rather than celery_t.
Comment 3 Brian Bouterse 2015-02-13 18:42:25 UTC 
I think you're using a 2.5.0 beta that does not include this fix. The fix has been included in 2.5.0-1 and forward.