Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2111570 - AVC denials noticed for gunicorn process after upgrading the Satellite 6.11 OS from RHEL 7 to RHEL 8 using leapp
Summary: AVC denials noticed for gunicorn process after upgrading the Satellite 6.11 O...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.11.0
Hardware: All
OS: All
high
high
Target Milestone: 6.12.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-07-27 13:46 UTC by Sayan Das
Modified: 2022-11-16 13:35 UTC (History)
7 users (show)

Fixed In Version: pulpcore-selinux-1.3.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2122197 (view as bug list)
Environment:
Last Closed: 2022-11-16 13:34:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github pulp/pulpcore-selinux/commit/7905c5a7bfbac69e6decdc4478d4020c10463cf6 0 None None None 2022-08-09 13:10:35 UTC
Red Hat Issue Tracker SAT-12270 0 None None None 2022-08-17 21:42:27 UTC
Red Hat Issue Tracker SAT-12929 0 None None None 2022-09-14 10:31:42 UTC
Red Hat Product Errata RHSA-2022:8506 0 None None None 2022-11-16 13:35:03 UTC

Description Sayan Das 2022-07-27 13:46:04 UTC 
Description of problem:

Via https://bugzilla.redhat.com/show_bug.cgi?id=2103920 we fixed\workedaround a candlepin related selinux issue but then we get to see a similar denial for pulpcore gunicorn process as well.


Version-Release number of selected component (if applicable):

Satellite 6.11 on RHEL 8
Leapp


How reproducible:

Always


Steps to Reproduce:
1. Install and configure a satellite 6.11 on RHEL 7

2. Follow https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html-single/upgrading_and_updating_red_hat_satellite/index#upgrading-project-in-place-using-leapp_upgrade-guide to upgrade the OS to RHEl 8

3. Look for selinux denials in audit logs


Actual results:

time->Tue Jul 26 16:16:44 2022
type=PROCTITLE msg=audit(1658877404.773:83): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658877404.773:83): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658877404.773:83): avc:  denied  { read } for  pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
time->Tue Jul 26 16:16:44 2022
type=PROCTITLE msg=audit(1658877404.773:84): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658877404.773:84): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=2c95c783 a2=0 a3=0 items=0 ppid=1258 pid=1776 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658877404.773:84): avc:  denied  { view } for  pid=1776 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1




Expected results:

No denials 


Additional info:
Comment 3 Paul Armstrong 2022-07-27 14:21:00 UTC 
Going back a little further, the gunicorn errors show up:

[root@sat6 ~]# journalctl -t setroubleshoot --since=06:00
-- Logs begin at Mon 2022-07-25 16:40:54 EDT, end at Wed 2022-07-27 10:14:15 EDT. --
Jul 27 06:00:09 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473>
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc>
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:11 sat6.parmstrong.ca setroubleshoot[96579]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:25 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 4f5f5039-5222-473>
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing /usr/bin/python3.8 from read access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that python3.8 should be allowed read access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
                                                          You can generate a local policy module to allow this access.
                                                          Do
                                                          allow this access for now by executing:
                                                          # ausearch -c 'gunicorn' --raw | audit2allow -M my-gunicorn
                                                          # semodule -X 300 -i my-gunicorn.pp
                                                          
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 27 06:00:28 sat6.parmstrong.ca setroubleshoot[96614]: AnalyzeThread.run(): Cancel pending alarm
Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t. For complete SELinux messages run: sealert -l 99160d47-43b5-4958-80b9-3cc>
Jul 27 06:00:29 sat6.parmstrong.ca setroubleshoot[96614]: SELinux is preventing gunicorn from view access on the key labeled pulpcore_t.
                                                          
                                                          *****  Plugin catchall (100. confidence) suggests   **************************
                                                          
                                                          If you believe that gunicorn should be allowed view access on key labeled pulpcore_t by default.
                                                          Then you should report this as a bug.
Comment 4 Brant Evans 2022-07-27 15:06:46 UTC 
I am seeing the gunicorn AVC denials as well.

[root@satellite ~]# ausearch -m AVC,USER_AVC -ts boot
----
time->Tue Jul 26 16:43:56 2022
type=PROCTITLE msg=audit(1658879036.101:80): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658879036.101:80): arch=c000003e syscall=250 success=yes exit=12 a0=b a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658879036.101:80): avc:  denied  { read } for  pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
time->Tue Jul 26 16:43:56 2022
type=PROCTITLE msg=audit(1658879036.102:81): proctitle=2F7573722F62696E2F707974686F6E332E38002F7573722F62696E2F67756E69636F726E0070756C70636F72652E636F6E74656E743A736572766572002D2D74696D656F7574003930002D2D776F726B65722D636C6173730061696F687474702E47756E69636F726E576562576F726B6572002D770039002D2D616363657373
type=SYSCALL msg=audit(1658879036.102:81): arch=c000003e syscall=250 success=yes exit=43 a0=6 a1=39686015 a2=0 a3=0 items=0 ppid=1273 pid=1764 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gunicorn" exe="/usr/bin/python3.8" subj=system_u:system_r:pulpcore_server_t:s0 key=(null)
type=AVC msg=audit(1658879036.102:81): avc:  denied  { view } for  pid=1764 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_t:s0 tclass=key permissive=1
----
.... DELETED ADDITIONAL EXAMPLES



Running audit2allow shows the missing rule that is needed:

[root@satellite ~]# audit2allow -b


#============= pulpcore_server_t ==============
allow pulpcore_server_t pulpcore_t:key { read view };
Comment 5 Lukas Pramuk 2022-09-14 10:23:20 UTC 
VERIFIED.

@Satellite 6.12.0 Snap10
pulpcore-selinux-1.3.2-1.el8pc.x86_64

SanityOnly.
There is no LEAPP upgrade possible for 6.12 which is el8 only
At least I verify the same change set went in:

# semodule_unpackage /usr/share/selinux/targeted/pulpcore.{pp,mod}

# sedismod /usr/share/selinux/targeted/pulpcore.mod
...
Command ('m' for menu):  f

Filename for output (<CR> for screen output): out

Output to file: out

Command ('m' for menu):  1

Command ('m' for menu):  q

# grep 'allow pulpcore_server_t pulpcore_t' out
  allow pulpcore_server_t pulpcore_t : [key] { view read };


>>> the change in selinux policy is present
Comment 9 errata-xmlrpc 2022-11-16 13:34:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.12 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8506
Note You need to log in before you can comment on or make changes to this bug.