784280 – SELinux denials during system cli test

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 784280 - SELinux denials during system cli test

Summary: SELinux denials during system cli test

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Packaging
Sub Component:
Version:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Sachin Ghai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	katello-blockers
TreeView+	depends on / blocked

Reported:	2012-01-24 13:10 UTC by Lukas Zapletal
Modified:	2019-09-26 17:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 18:22:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	786097	0	low	CLOSED	Createrepo when run from httpd logs several AVC denials	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	796167	0	unspecified	CLOSED	AVC denial issues with var/lib/rpm and rpm	2021-02-22 00:41:40 UTC

Internal Links: 786097 796167

Description Lukas Zapletal 2012-01-24 13:10:23 UTC

type=AVC msg=audit(1327401093.293:28): avc:  denied  { write } for  pid=1010 comm="restorecon" path="/root/install-katello.log" dev=vda2 ino=20230 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1327401600.821:122): avc:  denied  { read write } for  pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1327401600.960:123): avc:  denied  { getattr } for  pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1327401602.251:126): avc:  denied  { write } for  pid=2953 comm="initdb" path="/tmp/puppet20120124-1864-13duftz-0" dev=vda2 ino=22084 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1327401702.841:207): avc:  denied  { read write } for  pid=4365 comm="httpd" path="/tmp/puppet20120124-1864-hd20kh-0" dev=vda2 ino=22193 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1327402217.468:236): avc:  denied  { read } for  pid=4920 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file
type=AVC msg=audit(1327409431.774:305): avc:  denied  { read } for  pid=26704 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file
type=AVC msg=audit(1327409466.077:313): avc:  denied  { read } for  pid=27259 comm="consoletype" path="/var/log/katello/thin-log.5000.log" dev=vda2 ino=155583 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:object_r:httpd_katello_script_log_t:s0 tclass=file

Comment 2 Garik Khachikyan 2012-01-27 10:44:36 UTC

more denials on generating package metadata:
---
type=AVC msg=audit(1327660258.845:157981): avc:  denied  { search } for  pid=13209 comm="genpkgmetadata." name="rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660258.852:157982): avc:  denied  { getattr } for  pid=13209 comm="genpkgmetadata." path="/var/lib/rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660258.853:157983): avc:  denied  { open } for  pid=13209 comm="genpkgmetadata." name="Packages" dev=dm-0 ino=22413353 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1327660401.732:158334): avc:  denied  { open } for  pid=16251 comm="genpkgmetadata." name="Packages" dev=dm-0 ino=22413353 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1327660454.748:158447): avc:  denied  { search } for  pid=17593 comm="genpkgmetadata." name="rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1327660454.749:158448): avc:  denied  { getattr } for  pid=17593 comm="genpkgmetadata." path="/var/lib/rpm" dev=dm-0 ino=22151171 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir

---

Comment 3 Garik Khachikyan 2012-01-27 11:07:34 UTC

reproducer: make a repo sync (like: http://repos.fedorapeople.org/repos/pulp/pulp/6Server/x86_64/)

Comment 4 John Matthews 2012-01-27 13:16:25 UTC

Would you paste the filecontexts on this directory:  /var/lib/pulp ?


We want to see something like:

$ ls -Z /var/lib/pulp/
drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache
drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 distributions
drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 files
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxrwsrwx. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 meliae
drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxrwsr-t+ apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-sr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 repos
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 uploads


All the files under /var/log/pulp should be labeled with "httpd_sys_rw_content_t"

Comment 5 Garik Khachikyan 2012-01-27 13:22:10 UTC

dump is:
---
ls -Z /var/lib/pulp/
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 distributions
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 repos
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
---

Comment 6 John Matthews 2012-01-27 20:53:36 UTC

This is my understanding of the issue:
1) When running createrepo we are seeing some AVCs.
2) Functionality is working as expected.
3) The AVC looks to be related to interaction with the rpm database, most likely an initialization of a class in createrepo.

I see this AVC on el6, I have not seen it on Fedora-14.

I am not aware of any loss of functionality.

Comment 7 Lukas Zapletal 2012-01-29 17:44:56 UTC

@John - Correct me if I am wrong, so we are fine. When we put Katello to "enforcing" nothing bad happens in this case. Sounds good.

Comment 8 John Matthews 2012-01-30 13:22:33 UTC

Lukas,

Yes, I think we will be OK with "enforing" enabled.  I've tested on a el6 guest, had SELinux enforcing enabled.  I saw the AVC about denying access to /var/lib/rpm/Packages but the repo metadata was successfully generated.

Still looking into how to clean this up so the AVC doesn't happen in the first place.

Comment 10 John Matthews 2012-01-31 13:09:42 UTC

Our plan is:
 
Short term fix:  Added a dontaudit rule to Pulp's SELinux policy to silence the AVCs.
Committ: http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=4af7ef2d65cf6e3d194565e6d7d12f95d1c5a1af

Long term fix: Code change in createrepo to avoid the denials.
We've filed bug 786097 to track the change request on createrepo.

Comment 11 Lukas Zapletal 2012-02-03 09:54:32 UTC

Many thanks John!

I am setting Katello to Enforcing now.

Comment 12 Sachin Ghai 2012-03-19 08:43:10 UTC

Verified with following CFSE build.

[root@perceptor ~]# rpm -qa | grep -ie katello-0 -ie katello-cli
katello-0.1.304-1.el6.noarch
katello-cli-common-0.1.105-1.el6.noarch
katello-cli-0.1.105-1.el6.noarch


No avc denial messages while creating/syncing repo:
=========================================


katello> repo create --name pulp_64 --org ACME_Corporation --product pulp --url http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/6Server/x86_64/
Successfully created repository [ pulp_64 ]

katello> repo synchronize --name pulp_64 --org ACME_Corporation --product pulp
Repo [ pulp_64 ] synced                                               
katello> exit
[root@perceptor ~]# cat /var/log/audit/audit.log | grep avc*
[root@perceptor ~]# cat /var/log/audit/audit.log | grep avc
[root@perceptor ~]# getenforce 
Enforcing
[root@perceptor ~]# 


[root@perceptor ~]# ls -Z /var/lib/pulp/
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cache
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 distributions
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 init.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 packages
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 plugins
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 repos
[root@perceptor ~]#

Comment 13 Sachin Ghai 2012-03-19 08:45:58 UTC

promoted the product to next env and didn't see any avc denial messages:

katello> changeset create --org ACME_Corporation --name pulpy --env dev
Successfully created changeset [ pulpy ] for environment [ dev ]

katello> changeset update --name pulpy --org ACME_Corporation --env dev --add_product pulp
Successfully updated changeset [ pulpy ]

katello> changeset promote --name pulpy --org ACME_Corporation --env dev 
Changeset [ pulpy ] promoted   
katello> exit
[root@perceptor ~]# cat /var/log/audit/audit.log | grep avc[root@perceptor ~]# getenforce 
Enforcing
[root@perceptor ~]# 


Keeping it still on_qa to perform few more test. Will move to verified if everything goes well.

Comment 14 Sachin Ghai 2012-03-20 12:58:26 UTC

Performed more tests via cli on CFSE build (katello-0.1.304-1.el6.noarch), no avc denials found, so moving this to verified.

Note You need to log in before you can comment on or make changes to this bug.