2029385 – selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Bug 2029385 - selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Summary: selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	6.11.0
Assignee:	satellite6-bugs
QA Contact:	Lai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-06 11:25 UTC by Evgeni Golov
Modified:	2022-07-05 14:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pulpcore-selinux-1.3.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 14:30:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	pulp pulpcore-selinux issues 43	0	None	open	selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key	2021-12-06 21:30:54 UTC
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:31:02 UTC

Description Evgeni Golov 2021-12-06 11:25:30 UTC

Description of problem:
With pulp 3.16+, there is a new key on disk (/etc/pulp/certs/database_fields.symmetric.key) which needs to be accessed by pulp, but I see denials in the logs:

type=AVC msg=audit(1638468789.727:125): avc:  denied  { search } for  pid=1337 comm="pulpcore-worker" name="certs" dev="vda1" ino=71561290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { read } for  pid=1337 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { open } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:126): avc:  denied  { getattr } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:127): avc:  denied  { ioctl } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { read } for  pid=1558 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { open } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.916:130): avc:  denied  { getattr } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.917:131): avc:  denied  { ioctl } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { read } for  pid=19219 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { open } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:840): avc:  denied  { getattr } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:841): avc:  denied  { ioctl } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { read } for  pid=19240 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { open } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:843): avc:  denied  { getattr } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:844): avc:  denied  { ioctl } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):
7.0 snap 1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
see above

Expected results:
no denials

Additional info:
I don't think we currently encrypt any DB fields, so it's not fatal, but still…

Comment 2 Milos Malik 2021-12-15 13:33:03 UTC

I believe that various *.key files are mislabeled. Directories which contain certificates and key files usually have the cert_t label.

Does the scenario work when you label the /etc/pulp/certs directory and its content as cert_t?

# chcon -R -t cert_t /etc/pulp/certs

Comment 3 Evgeni Golov 2021-12-15 13:43:42 UTC

I don't have the machine at hand, so can't check right now, but I think there are no other files in that directory?

Comment 4 Stephen Wadeley 2022-02-23 17:11:56 UTC

(In reply to Evgeni Golov from comment #3)
> I don't have the machine at hand, so can't check right now, but I think
> there are no other files in that directory?

Yes, no other files.

[root@xxxx ~]# ls -laZ /etc/pulp/certs
total 4
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 43 Feb 17 13:20 .
drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0          38 Feb 21 04:58 ..
-rw-r-----. 1 root pulp system_u:object_r:httpd_config_t:s0 45 Feb 17 13:20 database_fields.symmetric.key
[root@xxxx ~]# 

The upstream issue has no one assigned, 
lets ask @mdepaulo if this is on his list

Thank you

Comment 6 Dennis Kliban 2022-03-30 17:41:23 UTC

This is fixed in pulpcore-selinux 1.3.0.

Comment 9 Lai 2022-04-26 21:52:43 UTC

Steps to retest:

1. spin up fresh 6.11
2. import manifest
3. sync a few rhel repos
4. create cv and add repos to it
5. publish cv
6. check log for denial for database_fields.symmetric.key

Expected:
There shouldn't be any denials from database_fields.symmetric.key

Actual:
There is no denial for database_fields.symmetric.key

Verified on 6.11_017 with pulpcore-selinux-1.3.0-1.el8pc.x86_64

Comment 12 errata-xmlrpc 2022-07-05 14:30:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.