2223175 – pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn ) should have a read-only level of access on httpd_sys_content_t .

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2223175 - pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn ) should have a read-only level of access on httpd_sys_content_t .

Summary: pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn ) should hav...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.13.1
Hardware:	x86_64
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-16 07:35 UTC by Sayan Das
Modified:	2024-06-06 16:24 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-06-06 16:24:38 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-23019	0	None	Migrated	None	2024-06-06 16:24:37 UTC

Description Sayan Das 2023-07-16 07:35:16 UTC

Description of problem:

pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn )  should have a read-only level of access on httpd_sys_content_t .


Version-Release number of selected component (if applicable):

Sat 6.10\6.11\6.12\6.13

How reproducible:
100%

Steps to Reproduce:

1. Install any of the affected version of satellite ( end-user is using 6.13 ) and selinux should be in enforcing mode

2. Follow these steps on the satellite:

# mkdir -p /var/lib/soe/software/custom/9/x86_64/Packages
# cd /var/lib/soe/software/custom/9/x86_64/Packages
# mkdir a j p 
# cd a; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/a/ansible-7.2.0-1.el9.noarch.rpm; cd ..
# cd j; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/j/jsonnet-0.20.0-1.el9.x86_64.rpm; cd ..
# cd p; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-beautifulsoup4-4.10.0-6.el9.noarch.rpm; cd ..
# cd /var/lib/soe/software/custom/9/x86_64/
# createrepo -v .

# semanage fcontext -a -t httpd_sys_content_t "/var/lib/soe/software(/.*)?"
# restorecon -RFv /var/lib/soe/software/

# satellite-installer --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/soe/software

3. Create a custom product and repo in satellite with baseURL set to file:///var/lib/soe/software/custom/9/x86_64/ , Download policy Immediate and Mirroring policy Complete_Mirroring. 

4. Sync the repo and notice both sync results and as well /var/log/audit/audit.log messages. 


Actual results:

While selinux remains in enforcing mode:

* Sync would be successful

* auditd will log the following denials in the audit.log but will also append permissive=1 at the end of them for some reason [ i.e. making it not an actual denial of operations at all ].

type=AVC msg=audit(1689144658.401:1292): avc:  denied  { getattr } for  pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689144658.402:1293): avc:  denied  { read } for  pid=15352 comm="pulpcore-worker" name="repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689144658.402:1293): avc:  denied  { open } for  pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1689144658.402:1294): avc:  denied  { ioctl } for  pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 ioctlcmd=0x5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

( This is same whether i test on RHEL 7 or RHEL 8 based satellite ). 

* Reason:

pulpcore_t is not having the required access on httpd_sys_content_t

# sesearch -A -s pulpcore_t -p ioctl  | grep http
allow pulpcore_t httpd_sys_rw_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
allow pulpcore_t httpd_sys_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow pulpcore_t httpd_sys_rw_content_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink write };


Expected results:

* No such denials
* pulpcore_t ( and perhaps pulpcore_server_t ) should have the required read-only level access to  httpd_sys_content_t context. 



Additional info:

Changing the context of "/var/lib/soe/software(/.*)?" to either httpd_sys_rw_content_t or pulpcore_var_lib_t ( which is the context of /var/lib/pulp/media ), can solve the issue with denial as well. But the end-user claims, There is absolutely no reason for httpd_sys_content_t to show denial or to pulpcore_t to not have access on httpd_sys_content_t at all.


By definition:

httpd_sys_content_t

Use this type for static web content, such as .html files used by a static website. Files labeled with this type are accessible (read only) to httpd and scripts executed by httpd. By default, files and directories labeled with this type cannot be written to or modified by httpd or other processes. Note that by default, files created in or copied into the /var/www/html/ directory are labeled with the httpd_sys_content_t type.

httpd_sys_rw_content_t

Files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_rw_content_t type to label files that will be read from and written to by scripts labeled with the httpd_sys_script_exec_t type.

Comment 7 Eric Helms 2024-06-06 16:24:38 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "SAT-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.