Project

Profile

Help

Issue #2436

closed

pulp-selinux RPM fails to run restorecon statements post install

Added by semyers over 7 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.10.3
Platform Release:
2.10.3
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

2.10.3 beta 1, on el6:

$ pulp-admin login -u admin
Enter password: 
An internal error occurred on the Pulp server:

RequestException: POST request
on /pulp/api/v2/actions/login/ failed with 500 - [Errno 13] Permission denied:
'/var/lib/pulp/sn.dat'

Try again with setenforce 0:

$ pulp-admin login -u admin
Enter password: 
Successfully logged in. Session certificate will expire at Nov 29 15:05:25 2016
GMT.

audit.log:

$ sudo grep denied /var/log/audit/audit.log
type=AVC msg=audit(1479827125.043:3712): avc:  denied  { append } for  pid=16693 comm="httpd" name="sn.dat" dev=vda1 ino=784197 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1479827125.043:3713): avc:  denied  { write } for  pid=16693 comm="httpd" name="sn.dat" dev=vda1 ino=784197 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Actions #1

Updated by dkliban@redhat.com over 7 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes
Actions #2

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com
  • Priority changed from High to Urgent
Actions #5

Updated by dkliban@redhat.com over 7 years ago

I deployed a nightly build of Pulp 2.10.3 on RHEL 6.8 and I was not able to reproduce the issue.

I then tried reproducing on one of our Jenkins nodes. I was not able to reproduce at first. Then after pulp-smash ran, I was able to reproduce.

Interestingly, ``/var/lib/pulp`` had the wrong SELinux security context labels.

[jenkins@host-172-16-46-166 ~]$ ls -laZ /var/lib/pulp/
drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:var_lib_t:s0 0005_puppet_module_name_change.txt
drwxr-xr-x. apache apache unconfined_u:object_r:var_lib_t:s0 content
-rw-r--r--. root   root   unconfined_u:object_r:var_lib_t:s0 db_initialized.flag
-rw-r--r--. apache apache unconfined_u:object_r:var_lib_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0   static
drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0   uploads

Running restorecon on /var/lib/pulp/content produces the correct label for that directory.

[jenkins@host-172-16-46-166 ~]$ sudo restorecon /var/lib/pulp/content
[jenkins@host-172-16-46-166 ~]$ ls -laZ /var/lib/pulp/content
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache unconfined_u:object_r:var_lib_t:s0 units

I am still trying to figure out what is causing the change in the labels, but I don't believe that this is a bug with Pulp.

Actions #6

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from ASSIGNED to CLOSED - NOTABUG

Added by dkliban@redhat.com over 7 years ago

Revision 44e13b1b | View on GitHub

Fixes relabel.sh to handle empty string being passed in.

The new version comparison mechanism no longer handled an empty string being passed in. As a result none of the restorecon statements were getting run at the end of pulp-selinux installation.

closes #2436 https://pulp.plan.io/issues/2436

Added by dkliban@redhat.com over 7 years ago

Revision 44e13b1b | View on GitHub

Fixes relabel.sh to handle empty string being passed in.

The new version comparison mechanism no longer handled an empty string being passed in. As a result none of the restorecon statements were getting run at the end of pulp-selinux installation.

closes #2436 https://pulp.plan.io/issues/2436

Actions #7

Updated by dkliban@redhat.com over 7 years ago

  • Subject changed from SELinux denial prevents user login to pulp-selinux RPM fails to run restorecon statements post install
  • Status changed from CLOSED - NOTABUG to ASSIGNED
Actions #8

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from ASSIGNED to POST
Actions #9

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from POST to MODIFIED
Actions #11

Updated by semyers over 7 years ago

  • Platform Release set to 2.10.3
Actions #12

Updated by semyers over 7 years ago

  • Status changed from MODIFIED to 5
Actions #13

Updated by dkliban@redhat.com over 7 years ago

This issue can be verified by installing Pulp on EL6 and EL7 and examining the filesystem. This should NOT be an upgrade, but a clean install of Pulp.

Verify that the /var/lib/pulp/content and /var/lib/pulp/published have the same security context label as below.

# ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static

Verify that /et/pki/pulp/content has the same security context label as below.

# ls -laZ /etc/pki/pulp
drwxr-xr-x. root   root   system_u:object_r:pulp_cert_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:cert_t:s0      ..
-rw-r-----  root   apache ?                                ca.crt
-rw-r-----  root   apache ?                                ca.key
drwxr-xr-x  root   root   ?                                consumer
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content
-rw-r-----  root   apache ?                                rsa.key
-rw-r--r--  root   apache ?                                rsa_pub.key

Verify that the `/etc/pulp/content` directory has the same label as below

# ls -laZ /etc/pulp/
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root   system_u:object_r:etc_t:s0       ..
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 admin
drwxr-xr-x  root root   ?                                agent
drwxr-xr-x  root root   ?                                consumer
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 content
-rw-r--r--  root root   ?                                repo_auth.conf
drwxr-xr-x  root root   ?                                server
-rw-r-----  root apache ?                                server.conf
drwxr-xr-x  root root   ?                                vhosts80
Actions #14

Updated by pthomas@redhat.com over 7 years ago

Verified



# ls -laZ /var/lib/pulp/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads

# ls -laZ /etc/pki/pulp
drwxr-xr-x. root   root   system_u:object_r:pulp_cert_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:cert_t:s0      ..
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.crt
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.key
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa.key
-rw-r--r--. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa_pub.key

# ls -laZ /etc/pulp/
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root   system_u:object_r:etc_t:s0       ..
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 admin
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 content
-rw-r--r--. root root   system_u:object_r:httpd_sys_content_t:s0 repo_auth.conf
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 server
-rw-r-----. root apache system_u:object_r:httpd_sys_content_t:s0 server.conf
-rw-r--r--. root root   system_u:object_r:httpd_sys_content_t:s0 streamer.conf
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 vhosts80

on el7

# ls -laZ /var/lib/pulp
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_lib_t:s0   ..
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 0005_puppet_module_name_change.txt
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 content
-rw-r--r--. root   root   unconfined_u:object_r:httpd_sys_rw_content_t:s0 db_initialized.flag
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 published
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 sn.dat
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 static
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 uploads
[root@yttrium ~]# ls -laZ /etc/pki/pulp
drwxr-xr-x. root   root   system_u:object_r:pulp_cert_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:cert_t:s0      ..
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.crt
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 ca.key
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 content
-rw-r-----. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa.key
-rw-r--r--. root   apache unconfined_u:object_r:pulp_cert_t:s0 rsa_pub.key

#  ls -laZ /etc/pulp/
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root   system_u:object_r:etc_t:s0       ..
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 admin
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 content
-rw-r--r--. root root   system_u:object_r:httpd_sys_content_t:s0 repo_auth.conf
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 server
-rw-r-----. root apache system_u:object_r:httpd_sys_content_t:s0 server.conf
-rw-r--r--. root root   system_u:object_r:httpd_sys_content_t:s0 streamer.conf
drwxr-xr-x. root root   system_u:object_r:httpd_sys_content_t:s0 vhosts80
Actions #15

Updated by pthomas@redhat.com over 7 years ago

  • Status changed from 5 to 6
Actions #16

Updated by semyers over 7 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #17

Updated by Ichimonji10 over 7 years ago

This issue may not be fixed, according to the verification procedure outlined in https://pulp.plan.io/issues/2436#note-13.

To test this issue, I provisioned two RHEL 6.8 and two RHEL 7.3 systems, and installed Pulp 2.10.3 and 2.11.1 on them, respectively. I then checked the SELinux contexts of the directories named in comment 13. Here's the results:

[root@rhel-6-8-pulp-2-10 ~]# ls -ladZ /var/lib/pulp/content /var/lib/pulp/published /etc/pki/pulp/content /etc/pulp/content/ | column -t
drwxr-xr-x.  apache  apache  system_u:object_r:pulp_cert_t:s0                 /etc/pki/pulp/content
drwxr-xr-x.  root    root    system_u:object_r:httpd_sys_content_t:s0         /etc/pulp/content/
drwxr-xr-x.  apache  apache  unconfined_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/content
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0      /var/lib/pulp/published

[root@rhel-6-8-pulp-2-11 ~]# ls -ladZ /var/lib/pulp/content /var/lib/pulp/published /etc/pki/pulp/content /etc/pulp/content/ | column -t
drwxr-xr-x.  apache  apache  system_u:object_r:pulp_cert_t:s0                 /etc/pki/pulp/content
drwxr-xr-x.  root    root    system_u:object_r:httpd_sys_content_t:s0         /etc/pulp/content/
drwxr-xr-x.  apache  apache  unconfined_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/content
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0      /var/lib/pulp/published

[root@rhel-7-3-pulp-2-10 ~]# ls -ladZ /var/lib/pulp/content /var/lib/pulp/published /etc/pki/pulp/content /etc/pulp/content/ | column -t
drwxr-xr-x.  apache  apache  system_u:object_r:pulp_cert_t:s0             /etc/pki/pulp/content
drwxr-xr-x.  root    root    system_u:object_r:httpd_sys_content_t:s0     /etc/pulp/content/
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/content
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/published

[root@rhel-7-3-pulp-2-11 ~]# ls -ladZ /var/lib/pulp/content /var/lib/pulp/published /etc/pki/pulp/content /etc/pulp/content/ | column -t
drwxr-xr-x.  apache  apache  system_u:object_r:pulp_cert_t:s0             /etc/pki/pulp/content
drwxr-xr-x.  root    root    system_u:object_r:httpd_sys_content_t:s0     /etc/pulp/content/
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/content
drwxr-xr-x.  apache  apache  system_u:object_r:httpd_sys_rw_content_t:s0  /var/lib/pulp/published

As you can see, the SELinux context of the /var/lib/pulp/content is unconfined_u:object_r:httpd_sys_rw_content_t:s0 on the RHEL 6.8 systems. This issue is also present in https://pulp.plan.io/issues/2436#note-14, so maybe I'm missing something here.

To install Pulp, I used the Ansible playbook ci/ansible/pulp_server.yaml in pulp_packaging. I made no modifications to the repository, and made sure to use the current version of the repository. Here's the packages installed on the RHEL 6.8 systems.

[root@rhel-6-8-pulp-2-10 ~]# rpm -qa | sort | grep -i pulp
mod_wsgi-3.4-2.pulp.el6.x86_64
pulp-admin-client-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.26.f664334.el6.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.26.f664334.el6.noarch
pulp-puppet-admin-extensions-2.10.3-0.1.alpha.git.13.c54e53f.el6.noarch
pulp-puppet-plugins-2.10.3-0.1.alpha.git.13.c54e53f.el6.noarch
pulp-python-admin-extensions-1.1.4-0.1.alpha.git.29.a0031b4.el6.noarch
pulp-python-plugins-1.1.4-0.1.alpha.git.29.a0031b4.el6.noarch
pulp-rpm-admin-extensions-2.10.3-0.1.alpha.git.1.e37466b.el6.noarch
pulp-rpm-plugins-2.10.3-0.1.alpha.git.1.e37466b.el6.noarch
pulp-selinux-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
pulp-server-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-isodate-0.5.0-4.pulp.el6.noarch
python-kombu-3.0.33-6.pulp.el6.noarch
python-pulp-bindings-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-pulp-client-lib-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-pulp-common-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.26.f664334.el6.noarch
python-pulp-oid_validation-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-pulp-puppet-common-2.10.3-0.1.alpha.git.13.c54e53f.el6.noarch
python-pulp-python-common-1.1.4-0.1.alpha.git.29.a0031b4.el6.noarch
python-pulp-repoauth-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch
python-pulp-rpm-common-2.10.3-0.1.alpha.git.1.e37466b.el6.noarch
python-pulp-streamer-2.10.3-0.1.alpha.git.1.b01c369.el6.noarch

[root@rhel-6-8-pulp-2-11 ~]# rpm -qa | sort | grep -i pulp
mod_wsgi-3.4-2.pulp.el6.x86_64
pulp-admin-client-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
pulp-docker-admin-extensions-2.2.1-0.1.alpha.git.8.5c0b281.el6.noarch
pulp-docker-plugins-2.2.1-0.1.alpha.git.8.5c0b281.el6.noarch
pulp-puppet-admin-extensions-2.11.1-0.1.alpha.git.1.47c8665.el6.noarch
pulp-puppet-plugins-2.11.1-0.1.alpha.git.1.47c8665.el6.noarch
pulp-python-admin-extensions-1.1.3-1.el6.noarch
pulp-python-plugins-1.1.3-1.el6.noarch
pulp-rpm-admin-extensions-2.11.1-0.1.alpha.git.1.49579ab.el6.noarch
pulp-rpm-plugins-2.11.1-0.1.alpha.git.1.49579ab.el6.noarch
pulp-selinux-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
pulp-server-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-isodate-0.5.0-4.pulp.el6.noarch
python-kombu-3.0.33-6.pulp.el6.noarch
python-pulp-bindings-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-pulp-client-lib-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-pulp-common-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-pulp-docker-common-2.2.1-0.1.alpha.git.8.5c0b281.el6.noarch
python-pulp-oid_validation-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-pulp-puppet-common-2.11.1-0.1.alpha.git.1.47c8665.el6.noarch
python-pulp-python-common-1.1.3-1.el6.noarch
python-pulp-repoauth-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
python-pulp-rpm-common-2.11.1-0.1.alpha.git.1.49579ab.el6.noarch
python-pulp-streamer-2.11.1-0.1.alpha.git.4.de08a31.el6.noarch
Actions #18

Updated by dkliban@redhat.com over 7 years ago

A similar inconsistency occurs for processes that are started at boot time vs. manually started. That inconsistency on RHEL 6.8 is described in chapter 9 of Chapter 9. SELinux systemd Access Control
http://red.ht/2h3pspr

I am going to see if the same thing is happening here. Comment 13 was generated using examples from a machine that had restorecon run by me manually. I will investigate whether it makes a difference if restorecon is called during an rpm install.

Actions #19

Updated by Ichimonji10 over 7 years ago

Comment 13 was generated using examples from a machine that had restorecon run by me manually. I will investigate whether it makes a difference if restorecon is called during an rpm install.

That may make a difference. I've let restorecon be run by the installer, and have not run it manually.

Actions #22

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF