2151664 – (selinux) [Sat6.12/SELinux/Bug] Running with SELinux Permissive mode triggers an AVC

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2151664 (selinux) - [Sat6.12/SELinux/Bug] Running with SELinux Permissive mode triggers an AVC

Summary: [Sat6.12/SELinux/Bug] Running with SELinux Permissive mode triggers an AVC

Keywords:
Status:	CLOSED DUPLICATE of bug 2218932
Alias:	selinux
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.12.0
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-07 18:24 UTC by Rajesh Dulhani
Modified:	2023-07-18 17:16 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-07-18 17:16:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Rajesh Dulhani 2022-12-07 18:24:36 UTC

Description of problem:

I enabled SELinux permissive mode as part of my testing for the updated rhel8.7 insights-client. In that testing, an SELinux AVC is triggered between pulp processes.
I was able to reproduce it also later by just running 'setenforce Permissive'

~~~
[Azure] vrempet-admin@li-lc-2751 ~
$ sudo aureport -a

AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 11/30/2022 07:30:08 ? system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 0 (null) (null) (null) unset 53512
2. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55518
3. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55519
4. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55520
5. 11/30/2022 09:23:58 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55521
6. 11/30/2022 09:24:05 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55573
7. 11/30/2022 09:24:05 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55574
8. 11/30/2022 09:24:06 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55575
9. 11/30/2022 09:24:06 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55576
10. 11/30/2022 09:24:20 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key read system_u:system_r:pulpcore_server_t:s0 denied 55579
11. 11/30/2022 09:24:20 pulpcore-worker system_u:system_r:pulpcore_t:s0 250 key view system_u:system_r:pulpcore_server_t:s0 denied 55580

[Azure] vrempet-admin@li-lc-2751 ~
$ sudo ausearch -i -m avc,user_avc -ts today
----
type=USER_AVC msg=audit(11/30/2022 07:30:08.581:53512) : pid=1127 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=8)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?'
----
type=PROCTITLE msg=audit(11/30/2022 09:23:58.268:55518) : proctitle=/usr/bin/python3.9 /usr/bin/pulpcore-worker
type=SYSCALL msg=audit(11/30/2022 09:23:58.268:55518) : arch=x86_64 syscall=keyctl success=yes exit=11 a0=0xb a1=0x1081359d a2=0x0 a3=0x0 items=0 ppid=1363 pid=1334513 auid=unset uid=pulp gid=pulp euid=pulp suid=pulp fsuid=pulp egid=pulp sgid=pulp fsgid=pulp tty=(none) ses=unset comm=pulpcore-worker exe=/usr/bin/python3.9 subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(11/30/2022 09:23:58.268:55518) : avc:  denied  { read } for  pid=1334513 comm=pulpcore-worker scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=key permissive=1
----
type=PROCTITLE msg=audit(11/30/2022 09:23:58.268:55519) : proctitle=/usr/bin/python3.9 /usr/bin/pulpcore-worker
type=SYSCALL msg=audit(11/30/2022 09:23:58.268:55519) : arch=x86_64 syscall=keyctl success=yes exit=41 a0=0x6 a1=0x1081359d a2=0x0 a3=0x0 items=0 ppid=1363 pid=1334513 auid=unset uid=pulp gid=pulp euid=pulp suid=pulp fsuid=pulp egid=pulp sgid=pulp fsgid=pulp tty=(none) ses=unset comm=pulpcore-worker exe=/usr/bin/python3.9 subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(11/30/2022 09:23:58.268:55519) : avc:  denied  { view } for  pid=1334513 comm=pulpcore-worker scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=key permissive=1
----
...

[Azure] vrempet-admin@li-lc-2751 ~
$ sudo audit2allow -a
#============= pulpcore_t ==============
allow pulpcore_t pulpcore_server_t:key { read view };
~~~


What is the business impact? Please also provide timeframe information.
unexpected log entries

Comment 4 Adam Ruzicka 2023-07-18 17:16:47 UTC

This looks like a duplicate of BZ2218932 so I'll go ahead and close it as such. If you feel the two BZs are distinct enough, feel free to reopen otherwise please follow the other BZ for updates.

*** This bug has been marked as a duplicate of bug 2218932 ***

Note You need to log in before you can comment on or make changes to this bug.