Description of problem: On an a new instance of Satellite, created from an image and having undergone change-hostname, AVC denials are seen. Version-Release number of selected component (if applicable): testing with new instance of 6.10.0-6.0 ~]# rpm -q satellite satellite-6.10.0-0.3.beta.el7sat.noarch How reproducible: not sure Steps to Reproduce: 1. Create image of satellite 2. Create instance of image 3. Run change hostname script (the above is summary of SatLab process) Actual results: ~]# ausearch -m AVC,USER_AVC -ts today ---- time->Mon Jun 28 03:09:00 2021 type=PROCTITLE msg=audit(1624864140.110:120): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25 type=SYSCALL msg=audit(1624864140.110:120): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=1193 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624864140.110:120): avc: denied { create } for pid=1193 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:09:00 2021 type=PROCTITLE msg=audit(1624864140.110:121): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25 type=SYSCALL msg=audit(1624864140.110:121): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffd6e048ad0 a2=15 a3=f0 items=0 ppid=1 pid=1193 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624864140.110:121): avc: denied { sendto } for pid=1193 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1624864140.110:121): avc: denied { connect } for pid=1193 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:09:00 2021 type=PROCTITLE msg=audit(1624864140.603:125): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D type=SYSCALL msg=audit(1624864140.603:125): arch=c000003e syscall=4 success=no exit=-2 a0=7f48312c1d00 a1=7ffcd8383a10 a2=7ffcd8383a10 a3=1 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624864140.603:125): avc: denied { search } for pid=1151 comm="gunicorn" name="httpd" dev="vda1" ino=75586928 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1 ---- time->Mon Jun 28 03:09:01 2021 type=PROCTITLE msg=audit(1624864141.353:127): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D type=SYSCALL msg=audit(1624864141.353:127): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624864141.353:127): avc: denied { create } for pid=1151 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:09:01 2021 type=PROCTITLE msg=audit(1624864141.354:128): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D type=SYSCALL msg=audit(1624864141.354:128): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffcd8389b70 a2=15 a3=b10 items=0 ppid=1 pid=1151 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624864141.354:128): avc: denied { sendto } for pid=1151 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1624864141.354:128): avc: denied { connect } for pid=1151 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:36:02 2021 type=PROCTITLE msg=audit(1624865762.890:792): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25 type=SYSCALL msg=audit(1624865762.890:792): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9296 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624865762.890:792): avc: denied { create } for pid=9296 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:36:02 2021 type=PROCTITLE msg=audit(1624865762.891:793): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E6170702E777367693A6170706C69636174696F6E002D2D74696D656F7574003930002D770031002D2D6163636573732D6C6F6766696C65002D002D2D6163636573732D6C6F67666F726D61740070756C70205B25 type=SYSCALL msg=audit(1624865762.891:793): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7fffc4774010 a2=15 a3=f0 items=0 ppid=1 pid=9296 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624865762.891:793): avc: denied { sendto } for pid=9296 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1624865762.891:793): avc: denied { connect } for pid=9296 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:36:04 2021 type=PROCTITLE msg=audit(1624865764.231:799): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D type=SYSCALL msg=audit(1624865764.231:799): arch=c000003e syscall=41 success=yes exit=3 a0=1 a1=80002 a2=0 a3=0 items=0 ppid=1 pid=9404 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624865764.231:799): avc: denied { create } for pid=9404 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 ---- time->Mon Jun 28 03:36:04 2021 type=PROCTITLE msg=audit(1624865764.231:800): proctitle=2F7573722F62696E2F707974686F6E33002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D77003133002D2D6163636573732D type=SYSCALL msg=audit(1624865764.231:800): arch=c000003e syscall=42 success=yes exit=0 a0=3 a1=7ffcc3f4c270 a2=15 a3=b10 items=0 ppid=1 pid=9404 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.6" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1624865764.231:800): avc: denied { connect } for pid=9404 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1 [root@dhcp-3-76 ~]# Expected results: no AVCs
These are all pulp-related services, flipping over to the Pulp component as the team maintains the policy themselves. What would be useful is to turn it into permissive mode, install SELinux development tools and then: sepolgen-ifgen audit2allow -Ral To generate reverse rules to see them, thanks!
(In reply to Lukas Zapletal from comment #1) > These are all pulp-related services, flipping over to the Pulp component as > the team maintains the policy themselves. > > What would be useful is to turn it into permissive mode, install SELinux > development tools and then: > > sepolgen-ifgen > audit2allow -Ral > > To generate reverse rules to see them, thanks! ~]# sepolgen-ifgen ~]# audit2allow -Ral require { type pulpcore_server_t; class unix_dgram_socket { connect create }; } #============= pulpcore_server_t ============== allow pulpcore_server_t self:unix_dgram_socket { connect create }; apache_search_config(pulpcore_server_t) kernel_dgram_send(pulpcore_server_t) Thank you
Another bz related to SELinux is bug 1991030.
My proposed fix is here (Thank you Lukas, but I made additions per below): After investigation, I determined that: 1. This is unrelated to the change in hostname. 2. This did not occur in pulp_installer because our service files do not have type=notify I created a PR so that it does: https://github.com/pulp/pulp_installer/pull/735 3. There is another denial, present on both my test system and on evgeni's Katello system [1]. 4. This creates a need for sendto and kernel_t in the auto-generated policy: require { type kernel_t; type pulpcore_server_t; class unix_dgram_socket { connect create sendto }; } My proposed fix is here: https://github.com/pulp/pulpcore-selinux/pull/37 [1] type=AVC msg=audit(1626392980.545:2751): avc: denied { sendto } for pid=31039 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
The Pulp upstream bug status is at ASSIGNED. Updating the external tracker on this bug.
The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.
Upstream released: https://github.com/pulp/pulpcore-selinux/releases/tag/1.2.5
Note that there was much discussion of the nature of the bug and how to properly fix it, and it was conducted on the upstream PR: https://github.com/pulp/pulpcore-selinux/pull/37 Note that pulp_installer will utilize Type=notify from now on: https://github.com/pulp/pulp_installer/pull/735
The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.
The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702