Description of problem: With pulp 3.16+, there is a new key on disk (/etc/pulp/certs/database_fields.symmetric.key) which needs to be accessed by pulp, but I see denials in the logs: type=AVC msg=audit(1638468789.727:125): avc: denied { search } for pid=1337 comm="pulpcore-worker" name="certs" dev="vda1" ino=71561290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1638468789.727:125): avc: denied { read } for pid=1337 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.727:125): avc: denied { open } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.746:126): avc: denied { getattr } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468789.746:127): avc: denied { ioctl } for pid=1337 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.915:129): avc: denied { read } for pid=1558 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.915:129): avc: denied { open } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.916:130): avc: denied { getattr } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638468790.917:131): avc: denied { ioctl } for pid=1558 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.345:839): avc: denied { read } for pid=19219 comm="gunicorn" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.345:839): avc: denied { open } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.346:840): avc: denied { getattr } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505508.346:841): avc: denied { ioctl } for pid=19219 comm="gunicorn" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:842): avc: denied { read } for pid=19240 comm="pulpcore-worker" name="database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:842): avc: denied { open } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:843): avc: denied { getattr } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 type=AVC msg=audit(1638505511.430:844): avc: denied { ioctl } for pid=19240 comm="pulpcore-worker" path="/etc/pulp/certs/database_fields.symmetric.key" dev="vda1" ino=71561291 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): 7.0 snap 1 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: see above Expected results: no denials Additional info: I don't think we currently encrypt any DB fields, so it's not fatal, but still…
I believe that various *.key files are mislabeled. Directories which contain certificates and key files usually have the cert_t label. Does the scenario work when you label the /etc/pulp/certs directory and its content as cert_t? # chcon -R -t cert_t /etc/pulp/certs
I don't have the machine at hand, so can't check right now, but I think there are no other files in that directory?
(In reply to Evgeni Golov from comment #3) > I don't have the machine at hand, so can't check right now, but I think > there are no other files in that directory? Yes, no other files. [root@xxxx ~]# ls -laZ /etc/pulp/certs total 4 drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 43 Feb 17 13:20 . drwxr-xr-x. 3 root root system_u:object_r:etc_t:s0 38 Feb 21 04:58 .. -rw-r-----. 1 root pulp system_u:object_r:httpd_config_t:s0 45 Feb 17 13:20 database_fields.symmetric.key [root@xxxx ~]# The upstream issue has no one assigned, lets ask @mdepaulo if this is on his list Thank you
This is fixed in pulpcore-selinux 1.3.0.
Steps to retest: 1. spin up fresh 6.11 2. import manifest 3. sync a few rhel repos 4. create cv and add repos to it 5. publish cv 6. check log for denial for database_fields.symmetric.key Expected: There shouldn't be any denials from database_fields.symmetric.key Actual: There is no denial for database_fields.symmetric.key Verified on 6.11_017 with pulpcore-selinux-1.3.0-1.el8pc.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498