1200722 – Apache httpd getattr denial on RHEL7 after restart of Pulp

Bug 1200722 - Apache httpd getattr denial on RHEL7 after restart of Pulp

Summary: Apache httpd getattr denial on RHEL7 after restart of Pulp

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Tazim Kolhar
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1201802 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-11 09:42 UTC by Lukas Zapletal
Modified:	2021-04-06 18:03 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 13:55:22 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	748	0	High	CLOSED - WORKSFORME	Apache httpd getattr denial on RHEL7 after restart of Pulp	2016-11-28 19:03:32 UTC

Description Lukas Zapletal 2015-03-11 09:42:44 UTC

We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.

RHEL7:

[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc:  denied  { getattr } for  pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       webservices.wsgi

[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch

No problems on RHEL6:

[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>

[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi

[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch

Comment 2 Lukas Zapletal 2015-03-11 09:58:53 UTC

Cloned upstream: https://pulp.plan.io/issues/748

Comment 3 Brian Bouterse 2015-03-11 13:08:04 UTC

This bug also needs to have the external tracker set to 'Pulp Redmine' with the bug number 748.

Comment 4 Lukas Zapletal 2015-03-13 11:26:39 UTC

We see additional permission (read) there. It is not just getattr:

time->Thu Mar 12 23:32:16 2015
type=SYSCALL msg=audit(1426217536.911:540): arch=c000003e syscall=2 success=no
exit=-13 a0=7f43b5e05af8 a1=0 a2=1b6 a3=0 items=0 ppid=5584 pid=5623
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426217536.911:540): avc:  denied  { read } for pid=5623
comm="httpd" name="webservices.wsgi" dev="dm-0" ino=135939728
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0
tclass=file

Comment 5 Lukas Zapletal 2015-03-16 15:00:55 UTC

This is caused by pulp selinux module not being loaded on RHEL7:

RHEL6:

[root@dell-pem710-01 ~]# semanage fcontext -l | grep pulp
/etc/pki/pulp(/.*)?                                all files          system_u:object_r:pulp_cert_t:s0 
/etc/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/log/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
[root@dell-pem710-01 ~]# semodule -l | grep pulp
pulp-celery     2.6.0
pulp-server     2.6.0

RHEL7:

[root@dell-pe2900-01 ~]# semanage fcontext -l | grep pulp
[root@dell-pe2900-01 ~]# semodule -l | grep pulp

[root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-celery.pp
libsepol.permission_copy_callback: Module pulp-celery depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
[root@dell-pe2900-01 ~]# semodule -i /usr/share/selinux/targeted/pulp-server.pp
libsepol.permission_copy_callback: Module pulp-server depends on permission kill in class system, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

Ok this was caused by the fact that we build on RHEL 7.1 but test on RHEL 7.0. My fault, I thought I test on 7.1, but apparently now.

Comment 6 Stephen Benjamin 2015-03-16 20:52:26 UTC

*** Bug 1201802 has been marked as a duplicate of this bug. ***

Comment 8 Stephen Benjamin 2015-03-17 14:06:06 UTC

*** Bug 1201802 has been marked as a duplicate of this bug. ***

Comment 9 Brian Bouterse 2015-03-20 14:30:21 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 10 Brian Bouterse 2015-03-24 15:30:23 UTC

The Pulp upstream bug priority is at High. Updating the external tracker on this bug.

Comment 11 pulp-infra@redhat.com 2015-03-31 14:00:22 UTC

The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.

Comment 12 Lukas Zapletal 2015-04-17 06:00:51 UTC

QA: To test this, verify Sat 6.1 installs on RHEL 7.1 and does *not* install on RHEL 7.0 (error in dependencies).

Comment 13 Lukas Zapletal 2015-04-17 06:02:30 UTC

No code changes are necessary since foreman-selinux will not install on RHEL 7.0 therefore Satellite 6.1 itself will not install as well (thus Pulp too).

Comment 14 Tazim Kolhar 2015-04-21 10:32:00 UTC

VERIFIED :

# rpm -qa | grep foreman
qe-sat6-rhel71.usersys.redhat.com-foreman-client-1.0-1.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_docker-1.2.0.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.4-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.1.0-1.el7sat.noarch
foreman-compute-1.7.2.15-1.el7sat.noarch
foreman-vmware-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.9-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.5-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
foreman-1.7.2.15-1.el7sat.noarch
foreman-ovirt-1.7.2.15-1.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.7-1.el7sat.noarch
foreman-proxy-1.7.2.4-1.el7sat.noarch
qe-sat6-rhel71.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-postgresql-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
foreman-selinux-1.7.2.13-1.el7sat.noarch
foreman-gce-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.3-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.3-1.el7sat.noarch
foreman-debug-1.7.2.15-1.el7sat.noarch
foreman-libvirt-1.7.2.15-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.10-1.el7sat.noarch

#  rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0.1-1.beta.1.el7sat.noarch

# semanage fcontext -l | grep pulp
/etc/pki/pulp(/.*)?                                all files          system_u:object_r:pulp_cert_t:s0 
/etc/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/srv/pulp(/.*)?                                    all files          system_u:object_r:httpd_sys_content_t:s0 
/var/lib/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/log/pulp(/.*)?                                all files          system_u:object_r:httpd_sys_rw_content_t:s0 

# semodule -l | grep pulp
pulp-celery	2.6.0.1	
pulp-server	2.6.0.1	

# semodule -i /usr/share/selinux/targeted/pulp-celery.pp
#

Comment 15 Brian Bouterse 2015-04-29 19:29:20 UTC

Adding mhrivnak@redhat.com to cc list

Comment 16 pulp-infra@redhat.com 2015-05-05 16:30:26 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 17 Bryan Kearney 2015-08-11 13:18:21 UTC

This bug is slated to be released with Satellite 6.1.

Comment 18 Bryan Kearney 2015-08-12 13:55:22 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Comment 19 pulp-infra@redhat.com 2016-11-28 19:03:33 UTC

The Pulp upstream bug status is at CLOSED - WORKSFORME. Updating the external tracker on this bug.

Note You need to log in before you can comment on or make changes to this bug.