1200722 – Apache httpd getattr denial on RHEL7 after restart of Pulp

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1200722 - Apache httpd getattr denial on RHEL7 after restart of Pulp

Summary: Apache httpd getattr denial on RHEL7 after restart of Pulp

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Tazim Kolhar
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1201802 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-11 09:42 UTC by Lukas Zapletal
Modified:	2021-04-06 18:03 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 13:55:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	748	0	High	CLOSED - WORKSFORME	Apache httpd getattr denial on RHEL7 after restart of Pulp	2016-11-28 19:03:32 UTC

Description Lukas Zapletal 2015-03-11 09:42:44 UTC

We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.

RHEL7:

[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc:  denied  { getattr } for  pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       webservices.wsgi

[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch

No problems on RHEL6:

[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>

[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi

[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch

Comment 2 Lukas Zapletal 2015-03-11 09:58:53 UTC

Cloned upstream: https://pulp.plan.io/issues/748

Comment 3 Brian Bouterse 2015-03-11 13:08:04 UTC

This bug also needs to have the external tracker set to 'Pulp Redmine' with the bug number 748.

Comment 4 Lukas Zapletal 2015-03-13 11:26:39 UTC

We see additional permission (read) there. It is not just getattr:

time->Thu Mar 12 23:32:16 2015
type=SYSCALL msg=audit(1426217536.911:540): arch=c000003e syscall=2 success=no
exit=-13 a0=7f43b5e05af8 a1=0 a2=1b6 a3=0 items=0 ppid=5584 pid=5623
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426217536.911:540): avc:  denied  { read } for pid=5623
comm="httpd" name="webservices.wsgi" dev="dm-0" ino=135939728
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0
tclass=file

Comment 5 Lukas Zapletal 2015-03-16 15:00:55 UTC

This is caused by pulp selinux module not being loaded on RHEL7:

RHEL6:

[root@dell-pem710-01 ~]# semanage fcontext -l | grep pulp
/etc/pki/pulp(/.*)?                                all files          system_u:object_r:pulp_cert_t:s0 
/etc/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/log/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
[root@dell-pem710-01 ~]# semodule -l | grep pulp
pulp-celery     2.6.0
pulp-server     2.6.0

RHEL7:

[root@dell-pe2900-01 ~]# semanage fcontext -l | grep pulp
[root@dell-pe2900-01 ~]# semodule -l | grep pulp

[root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-celery.pp
libsepol.permission_copy_callback: Module pulp-celery depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
[root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-server.pp
libsepol.permission_copy_callback: Module pulp-server depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Ok this was caused by the fact that we build on RHEL 7.1 but test on RHEL 7.0. My fault, I thought I test on 7.1, but apparently now.

Comment 6 Stephen Benjamin 2015-03-16 20:52:26 UTC

*** Bug 1201802 has been marked as a duplicate of this bug. ***

Comment 8 Stephen Benjamin 2015-03-17 14:06:06 UTC

*** Bug 1201802 has been marked as a duplicate of this bug. ***

Comment 9 Brian Bouterse 2015-03-20 14:30:21 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 10 Brian Bouterse 2015-03-24 15:30:23 UTC

The Pulp upstream bug priority is at High. Updating the external tracker on this bug.

Comment 11 pulp-infra@redhat.com 2015-03-31 14:00:22 UTC

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 12 Lukas Zapletal 2015-04-17 06:00:51 UTC

QA: To test this, verify Sat 6.1 installs on RHEL 7.1 and does *not* install on RHEL 7.0 (error in dependencies).

Comment 13 Lukas Zapletal 2015-04-17 06:02:30 UTC

No code changes are necessary since foreman-selinux will not install on RHEL 7.0 therefore Satellite 6.1 itself will not install as well (thus Pulp too).

Comment 14 Tazim Kolhar 2015-04-21 10:32:00 UTC

VERIFIED :

# rpm -qa | grep foreman
qe-sat6-rhel71.usersys.redhat.com-foreman-client-1.0-1.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_docker-1.2.0.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.4-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch
foreman-compute-1.7.2.15-1.el7sat.noarch
foreman-vmware-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.9-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.5-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
foreman-1.7.2.15-1.el7sat.noarch
foreman-ovirt-1.7.2.15-1.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.7-1.el7sat.noarch
foreman-proxy-1.7.2.4-1.el7sat.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-postgresql-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
foreman-selinux-1.7.2.13-1.el7sat.noarch
foreman-gce-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.3-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.3-1.el7sat.noarch
foreman-debug-1.7.2.15-1.el7sat.noarch
foreman-libvirt-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.10-1.el7sat.noarch

#  rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0.1-1.beta.1.el7sat.noarch

# semanage fcontext -l | grep pulp
/etc/pki/pulp(/.*)?                                all files          system_u:object_r:pulp_cert_t:s0 
/etc/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/log/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 

# semodule -l | grep pulp
pulp-celery	2.6.0.1	
pulp-server	2.6.0.1	

# semodule -i /usr/share/selinux/targeted/pulp-celery.pp
#

Comment 15 Brian Bouterse 2015-04-29 19:29:20 UTC

Adding mhrivnak to cc list

Comment 16 pulp-infra@redhat.com 2015-05-05 16:30:26 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 17 Bryan Kearney 2015-08-11 13:18:21 UTC

This bug is slated to be released with Satellite 6.1.

Comment 18 Bryan Kearney 2015-08-12 13:55:22 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Comment 19 pulp-infra@redhat.com 2016-11-28 19:03:33 UTC

The Pulp upstream bug status is at CLOSED - WORKSFORME. Updating the external tracker on this bug.

Note You need to log in before you can comment on or make changes to this bug.