Bug 2111570 - AVC denials noticed for gunicorn process after upgrading the Satellite 6.11 OS from RHEL 7 to RHEL 8 using leapp
Summary: AVC denials noticed for gunicorn process after upgrading the Satellite 6.11 O...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.11.0
Hardware: All
OS: All
high
high
Target Milestone: 6.12.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-27 13:46 UTC by Sayan Das
Modified: 2022-11-16 13:35 UTC (History)
7 users (show)

Fixed In Version: pulpcore-selinux-1.3.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2122197 (view as bug list)
Environment:
Last Closed: 2022-11-16 13:34:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github pulp/pulpcore-selinux/commit/7905c5a7bfbac69e6decdc4478d4020c10463cf6 0 None None None 2022-08-09 13:10:35 UTC
Red Hat Issue Tracker SAT-12270 0 None None None 2022-08-17 21:42:27 UTC
Red Hat Issue Tracker SAT-12929 0 None None None 2022-09-14 10:31:42 UTC
Red Hat Product Errata RHSA-2022:8506 0 None None None 2022-11-16 13:35:03 UTC

Description Sayan Das 2022-07-27 13:46:04 UTC
Description of problem:

Via https://bugzilla.redhat.com/show_bug.cgi?id=2103920 we fixed\workedaround a candlepin related selinux issue but then we get to see a similar denial for pulpcore gunicorn process as well.


Version-Release number of selected component (if applicable):

Satellite 6.11 on RHEL 8
Leapp


How reproducible:

Always


Steps to Reproduce:
1. Install and configure a satellite 6.11 on RHEL 7

2. Follow https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/upgrading_and_updating_red_hat_satellite/index#upgrading-project-in-place-using-leapp_upgrade-guide to upgrade the OS to RHEl 8

3. Look for selinux denials in audit logs


Actual results:

time->Tue Jul 26 16:16:44 2022
type=PROCTITLE msg=audit(1658877404.773:83): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658877404.773:83): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658877404.773:83): avc:  denied  { read } for  pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
time->Tue Jul 26 16:16:44 2022
type=PROCTITLE msg=audit(1658877404.773:84): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658877404.773:84): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658877404.773:84): avc:  denied  { view } for  pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1




Expected results:

No denials 


Additional info:

Comment 3 Paul Armstrong 2022-07-27 14:21:00 UTC
Going back a little further, the gunicorn errors show up:

[root@sat6 ~]# journalctl -t setroubleshoot --since=06:00
-- Logs begin at Mon 2022-07-25 16:40:54 EDT, end at Wed 2022-07-27 10:14:15 EDT. --
Jul 27 06:00:09 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473>
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc>
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:25 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473>
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc>
Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.

Comment 4 Brant Evans 2022-07-27 15:06:46 UTC
I am seeing the gunicorn AVC denials as well.

[root@satellite ~]# ausearch -m AVC,USER_AVC -ts boot
----
time->Tue Jul 26 16:43:56 2022
type=PROCTITLE msg=audit(1658879036.101:80): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658879036.101:80): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658879036.101:80): avc:  denied  { read } for  pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
time->Tue Jul 26 16:43:56 2022
type=PROCTITLE msg=audit(1658879036.102:81): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658879036.102:81): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658879036.102:81): avc:  denied  { view } for  pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
.... DELETED ADDITIONAL EXAMPLES



Running audit2allow shows the missing rule that is needed:

[root@satellite ~]# audit2allow -b


#============= pulpcore_server_t ==============
allow pulpcore_server_t pulpcore_t:key { read view };

Comment 5 Lukas Pramuk 2022-09-14 10:23:20 UTC
VERIFIED.

@Satellite 6.12.0 Snap10
pulpcore-selinux-1.3.2-1.el8pc.x86_64

SanityOnly.
There is no LEAPP upgrade possible for 6.12 which is el8 only
At least I verify the same change set went in:

# semodule_unpackage /usr/share/selinux/targeted/pulpcore.{pp,mod}

# sedismod /usr/share/selinux/targeted/pulpcore.mod
...
Command ('m' for menu):  f

Filename for output (<CR> for screen output): out

Output to file: out

Command ('m' for menu):  1

Command ('m' for menu):  q

# grep 'allow pulpcore_server_t pulpcore_t' out
  allow pulpcore_server_t pulpcore_t : [key] { view read };


>>> the change in selinux policy is present

Comment 9 errata-xmlrpc 2022-11-16 13:34:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506


Note You need to log in before you can comment on or make changes to this bug.