Issue #2508
closed
/var/lib/pulp/static/rsa_pub.key has incorrect SELinux label
Description
/var/lib/pulp/static/rsa_pub.key should have a label of system_u:object_r:httpd_sys_rw_content_t:s0. See pulp/pulp-server.fc. Instead, /var/lib/pulp/static/rsa_pub.key has a context of unconfined_u:object_r:pulp_cert_t:s0. To demonstrate the issue:
[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"
[root@fedora-24-pulp-2-11 ~]# restorecon /var/lib/pulp/static/rsa_pub.key
[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"
It's unclear whether /var/lib/pulp/static/rsa_pub.key should exist. See Pulp #2160.
Reproduced on Pulp 2.11 and 2.12 on Fedora 24, RHEL 6.8 and RHEL 7.3. All systems have been installed with pulp_packaging. Sample packages from the Fedora 24 system:
[root@fedora-24-pulp-2-11 ~]# rpm -qa | grep -i pulp | sort
pulp-admin-client-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-docker-admin-extensions-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-docker-plugins-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-ostree-admin-extensions-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-ostree-plugins-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-puppet-admin-extensions-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-puppet-plugins-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-rpm-plugins-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-selinux-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-server-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-client-lib-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-common-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-docker-common-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
python-pulp-oid_validation-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-ostree-common-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
python-pulp-puppet-common-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-rpm-common-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
python-pulp-streamer-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
Updated by Ichimonji10 almost 7 years ago
Updated by bmbouter almost 7 years ago
Production installations of Pulp symlink /var/lib/pulp/static/rsa_pub.key -> /etc/pki/pulp/rsa_pub.key. That occurs with this line in the spec file[0].
The SELinux policy filesystem can't apply 2 labels to 1 file, but rules 1 and 6 in the policy[1] specify a different label for each of these files. I think we want the file itself to have the pulp_cert_t label and the symlink to have the httpd label. I believe selinux supports this, but I'm not exactly sure how to incorporate this into our policy specification.
Note that I think it is clear that /var/lib/pulp/static/rsa_pub.key should exist. The spec file creates it at install time. The key discussed in #2160 is at a different path so that is a different key.
[0]: https://github.com/pulp/pulp/blob/master/pulp.spec#L493
[1]: https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.fc
[2]: http://serverfault.com/questions/177061/how-do-i-assign-an-selinux-label-to-a-symlink-with-semanage-so-it-persists-after#177064
Updated by bmbouter almost 7 years ago
After some discussion in #selinux on Freenode, I've learned that our .fc file could contain a rules in the form of pathname [file_type] context. So for example:
/var/lib/pulp/(/.*)? -l system_u:system_r:pulp_
see `man file_contexts` for more info on that.
Another option would be for us to reorder the statements, since there is a know approach[0] for selinux to determine which one will win. I think adding a very specific rule to handle this bug would probably be the easiest.
[0]: https://fedoraproject.org/wiki/SELinux/ManagingFileContext
Updated by bizhang almost 7 years ago
- Priority changed from Normal to Low
- Severity changed from 2. Medium to 1. Low
- Triaged changed from No to Yes
Updated by bmbouter over 4 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter over 4 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.