2029385 – selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2029385 - selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Summary: selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	6.11.0
Assignee:	satellite6-bugs
QA Contact:	Lai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-12-06 11:25 UTC by Evgeni Golov
Modified:	2022-07-05 14:31 UTC (History)
CC List:	7 users (show)
Fixed In Version:	pulpcore-selinux-1.3.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-05 14:30:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	pulp pulpcore-selinux issues 43	0	None	open	selinux denials when accessing /etc/pulp/certs/database_fields.symmetric.key	2021-12-06 21:30:54 UTC
Red Hat Product Errata	RHSA-2022:5498	0	None	None	None	2022-07-05 14:31:02 UTC

Description Evgeni Golov 2021-12-06 11:25:30 UTC

Description of problem:
With pulp 3.16+, there is a new key on disk (/etc/pulp/certs/database_fields.symmetric.key) which needs to be accessed by pulp, but I see denials in the logs:

type=AVC msg=audit(1638468789.727:125): avc:  denied  { search } for  pid=1337 comm="pulpcore-worker" name="certs" dev="vda1" ino=71561290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { read } for  pid=1337 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.727:125): avc:  denied  { open } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:126): avc:  denied  { getattr } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468789.746:127): avc:  denied  { ioctl } for  pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { read } for  pid=1558 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.915:129): avc:  denied  { open } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.916:130): avc:  denied  { getattr } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638468790.917:131): avc:  denied  { ioctl } for  pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { read } for  pid=19219 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.345:839): avc:  denied  { open } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:840): avc:  denied  { getattr } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505508.346:841): avc:  denied  { ioctl } for  pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { read } for  pid=19240 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:842): avc:  denied  { open } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:843): avc:  denied  { getattr } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1
type=AVC msg=audit(1638505511.430:844): avc:  denied  { ioctl } for  pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1


Version-Release number of selected component (if applicable):
7.0 snap 1

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
see above

Expected results:
no denials

Additional info:
I don't think we currently encrypt any DB fields, so it's not fatal, but still…

Comment 2 Milos Malik 2021-12-15 13:33:03 UTC

I believe that various *.key files are mislabeled. Directories which contain certificates and key files usually have the cert_t label.

Does the scenario work when you label the /etc/pulp/certs directory and its content as cert_t?

# chcon -R -t cert_t /etc/pulp/certs

Comment 3 Evgeni Golov 2021-12-15 13:43:42 UTC

I don't have the machine at hand, so can't check right now, but I think there are no other files in that directory?

Comment 4 Stephen Wadeley 2022-02-23 17:11:56 UTC

(In reply to Evgeni Golov from comment #3)
> I don't have the machine at hand, so can't check right now, but I think
> there are no other files in that directory?

Yes, no other files.

[root@xxxx ~]# ls -laZ /etc/pulp/certs
total 4
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 43 Feb 17 13:20 .
drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0          38 Feb 21 04:58 ..
-rw-r-----. 1 root pulp system_u:object_r:httpd_config_t:s0 45 Feb 17 13:20 database_fields.symmetric.key
[root@xxxx ~]# 

The upstream issue has no one assigned, 
lets ask @mdepaulo if this is on his list

Thank you

Comment 6 Dennis Kliban 2022-03-30 17:41:23 UTC

This is fixed in pulpcore-selinux 1.3.0.

Comment 9 Lai 2022-04-26 21:52:43 UTC

Steps to retest:

1. spin up fresh 6.11
2. import manifest
3. sync a few rhel repos
4. create cv and add repos to it
5. publish cv
6. check log for denial for database_fields.symmetric.key

Expected:
There shouldn't be any denials from database_fields.symmetric.key

Actual:
There is no denial for database_fields.symmetric.key

Verified on 6.11_017 with pulpcore-selinux-1.3.0-1.el8pc.x86_64

Comment 12 errata-xmlrpc 2022-07-05 14:30:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498

Note You need to log in before you can comment on or make changes to this bug.