Description of problem: Via https://bugzilla.redhat.com/show_bug.cgi?id=2103920 we fixed\workedaround a candlepin related selinux issue but then we get to see a similar denial for pulpcore gunicorn process as well. Version-Release number of selected component (if applicable): Satellite 6.11 on RHEL 8 Leapp How reproducible: Always Steps to Reproduce: 1. Install and configure a satellite 6.11 on RHEL 7 2. Follow https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/upgrading_and_updating_red_hat_satellite/index#upgrading-project-in-place-using-leapp_upgrade-guide to upgrade the OS to RHEl 8 3. Look for selinux denials in audit logs Actual results: time->Tue Jul 26 16:16:44 2022 type=PROCTITLE msg=audit(1658877404.773:83): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658877404.773:83): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658877404.773:83): avc: denied { read } for pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 ---- time->Tue Jul 26 16:16:44 2022 type=PROCTITLE msg=audit(1658877404.773:84): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658877404.773:84): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658877404.773:84): avc: denied { view } for pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 Expected results: No denials Additional info:
Going back a little further, the gunicorn errors show up: [root@sat6 ~]# journalctl -t setroubleshoot --since=06:00 -- Logs begin at Mon 2022-07-25 16:40:54 EDT, end at Wed 2022-07-27 10:14:15 EDT. -- Jul 27 06:00:09 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473> Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc> Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:25 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473> Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn # semodule -X 300 -i my-gunicorn.pp Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Set alarm timeout to 10 Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc> Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default. Then you should report this as a bug.
I am seeing the gunicorn AVC denials as well. [root@satellite ~]# ausearch -m AVC,USER_AVC -ts boot ---- time->Tue Jul 26 16:43:56 2022 type=PROCTITLE msg=audit(1658879036.101:80): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658879036.101:80): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658879036.101:80): avc: denied { read } for pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 ---- time->Tue Jul 26 16:43:56 2022 type=PROCTITLE msg=audit(1658879036.102:81): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373 type=SYSCALL msg=audit(1658879036.102:81): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null) type=AVC msg=audit(1658879036.102:81): avc: denied { view } for pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1 ---- .... DELETED ADDITIONAL EXAMPLES Running audit2allow shows the missing rule that is needed: [root@satellite ~]# audit2allow -b #============= pulpcore_server_t ============== allow pulpcore_server_t pulpcore_t:key { read view };
VERIFIED. @Satellite 6.12.0 Snap10 pulpcore-selinux-1.3.2-1.el8pc.x86_64 SanityOnly. There is no LEAPP upgrade possible for 6.12 which is el8 only At least I verify the same change set went in: # semodule_unpackage /usr/share/selinux/targeted/pulpcore.{pp,mod} # sedismod /usr/share/selinux/targeted/pulpcore.mod ... Command ('m' for menu): f Filename for output (<CR> for screen output): out Output to file: out Command ('m' for menu): 1 Command ('m' for menu): q # grep 'allow pulpcore_server_t pulpcore_t' out allow pulpcore_server_t pulpcore_t : [key] { view read }; >>> the change in selinux policy is present
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8506