Project

Profile

Help

Issue #2508

/var/lib/pulp/static/rsa_pub.key has incorrect SELinux label

Added by Ichimonji10 almost 5 years ago. Updated over 2 years ago.

Status:
CLOSED - WONTFIX
Priority:
Low
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

/var/lib/pulp/static/rsa_pub.key should have a label of system_u:object_r:httpd_sys_rw_content_t:s0. See pulp/pulp-server.fc. Instead, /var/lib/pulp/static/rsa_pub.key has a context of unconfined_u:object_r:pulp_cert_t:s0. To demonstrate the issue:

[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"

[root@fedora-24-pulp-2-11 ~]# restorecon /var/lib/pulp/static/rsa_pub.key
[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"

It's unclear whether /var/lib/pulp/static/rsa_pub.key should exist. See Pulp #2160.

Reproduced on Pulp 2.11 and 2.12 on Fedora 24, RHEL 6.8 and RHEL 7.3. All systems have been installed with pulp_packaging. Sample packages from the Fedora 24 system:

[root@fedora-24-pulp-2-11 ~]# rpm -qa | grep -i pulp | sort
pulp-admin-client-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-docker-admin-extensions-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-docker-plugins-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-ostree-admin-extensions-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-ostree-plugins-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-puppet-admin-extensions-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-puppet-plugins-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-rpm-plugins-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-selinux-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-server-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-client-lib-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-common-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-docker-common-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
python-pulp-oid_validation-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-ostree-common-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
python-pulp-puppet-common-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-rpm-common-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
python-pulp-streamer-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch

History

#2 Updated by bmbouter almost 5 years ago

Production installations of Pulp symlink /var/lib/pulp/static/rsa_pub.key -> /etc/pki/pulp/rsa_pub.key. That occurs with this line in the spec file[0].

The SELinux policy filesystem can't apply 2 labels to 1 file, but rules 1 and 6 in the policy[1] specify a different label for each of these files. I think we want the file itself to have the pulp_cert_t label and the symlink to have the httpd label. I believe selinux supports this, but I'm not exactly sure how to incorporate this into our policy specification.

Note that I think it is clear that /var/lib/pulp/static/rsa_pub.key should exist. The spec file creates it at install time. The key discussed in #2160 is at a different path so that is a different key.

[0]: https://github.com/pulp/pulp/blob/master/pulp.spec#L493
[1]: https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.fc
[2]: http://serverfault.com/questions/177061/how-do-i-assign-an-selinux-label-to-a-symlink-with-semanage-so-it-persists-after#177064

#3 Updated by bmbouter almost 5 years ago

After some discussion in #selinux on Freenode, I've learned that our .fc file could contain a rules in the form of pathname [file_type] context. So for example:

/var/lib/pulp/(/.*)? -l system_u:system_r:pulp_

see `man file_contexts` for more info on that.

Another option would be for us to reorder the statements, since there is a know approach[0] for selinux to determine which one will win. I think adding a very specific rule to handle this bug would probably be the easiest.

[0]: https://fedoraproject.org/wiki/SELinux/ManagingFileContext

#4 Updated by bizhang almost 5 years ago

  • Priority changed from Normal to Low
  • Severity changed from 2. Medium to 1. Low
  • Triaged changed from No to Yes

#5 Updated by bmbouter over 2 years ago

  • Status changed from NEW to CLOSED - WONTFIX

#6 Updated by bmbouter over 2 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#7 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF