Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2029385

Summary:	selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key
Product:	Red Hat Satellite	Reporter:	Evgeni Golov <egolov>
Component:	Pulp	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	CLOSED ERRATA	QA Contact:	Lai <ltran>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	6.11.0	CC:	dkliban, ggainey, lzap, mdepaulo, mmalik, rchan, swadeley
Target Milestone:	6.11.0	Keywords:	SELinux, Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pulpcore-selinux-1.3.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-07-05 14:30:51 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Evgeni Golov 2021-12-06 11:25:30 UTC

Description of problem:
With pulp 3.16+, there is a new key on disk (/etc/pulp/certs/database_fields.symmetric.key) which needs to be accessed by pulp, but I see denials in the logs:

type=AVC msg=audit(1638468789.727:125): avc:  denied  { search } for  pid=1337 comm="pulpcore-worker" name="certs" dev="vda1" ino=71561290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { read } for  pid=1337 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { open } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:126): avc:  denied  { getattr } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:127): avc:  denied  { ioctl } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { read } for  pid=1558 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { open } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.916:130): avc:  denied  { getattr } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.917:131): avc:  denied  { ioctl } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { read } for  pid=19219 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { open } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:840): avc:  denied  { getattr } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:841): avc:  denied  { ioctl } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { read } for  pid=19240 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { open } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:843): avc:  denied  { getattr } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:844): avc:  denied  { ioctl } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):
7.0 snap 1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
see above

Expected results:
no denials

Additional info:
I don't think we currently encrypt any DB fields, so it's not fatal, but still…

Comment 2 Milos Malik 2021-12-15 13:33:03 UTC

I believe that various *.key files are mislabeled. Directories which contain certificates and key files usually have the cert_t label.

Does the scenario work when you label the /etc/pulp/certs directory and its content as cert_t?

# chcon -R -t cert_t /etc/pulp/certs

Comment 3 Evgeni Golov 2021-12-15 13:43:42 UTC

I don't have the machine at hand, so can't check right now, but I think there are no other files in that directory?

Comment 4 Stephen Wadeley 2022-02-23 17:11:56 UTC

(In reply to Evgeni Golov from comment #3)
> I don't have the machine at hand, so can't check right now, but I think
> there are no other files in that directory?

Yes, no other files.

[root@xxxx ~]# ls -laZ /etc/pulp/certs
total 4
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 43 Feb 17 13:20 .
drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0          38 Feb 21 04:58 ..
-rw-r-----. 1 root pulp system_u:object_r:httpd_config_t:s0 45 Feb 17 13:20 database_fields.symmetric.key
[root@xxxx ~]# 

The upstream issue has no one assigned, 
lets ask @mdepaulo if this is on his list

Thank you

Comment 6 Dennis Kliban 2022-03-30 17:41:23 UTC

This is fixed in pulpcore-selinux 1.3.0.

Comment 9 Lai 2022-04-26 21:52:43 UTC

Steps to retest:

1. spin up fresh 6.11
2. import manifest
3. sync a few rhel repos
4. create cv and add repos to it
5. publish cv
6. check log for denial for database_fields.symmetric.key

Expected:
There shouldn't be any denials from database_fields.symmetric.key

Actual:
There is no denial for database_fields.symmetric.key

Verified on 6.11_017 with pulpcore-selinux-1.3.0-1.el8pc.x86_64

Comment 12 errata-xmlrpc 2022-07-05 14:30:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498