Project

Profile

Help

Issue #2508

closed

/var/lib/pulp/static/rsa_pub.key has incorrect SELinux label

Added by Ichimonji10 about 6 years ago. Updated almost 4 years ago.

Status:
CLOSED - WONTFIX
Priority:
Low
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

/var/lib/pulp/static/rsa_pub.key should have a label of system_u:object_r:httpd_sys_rw_content_t:s0. See pulp/pulp-server.fc. Instead, /var/lib/pulp/static/rsa_pub.key has a context of unconfined_u:object_r:pulp_cert_t:s0. To demonstrate the issue:

[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"

[root@fedora-24-pulp-2-11 ~]# restorecon /var/lib/pulp/static/rsa_pub.key
[root@fedora-24-pulp-2-11 ~]# getfattr --name=security.selinux /var/lib/pulp/static/rsa_pub.key
getfattr: Removing leading '/' from absolute path names
# file: var/lib/pulp/static/rsa_pub.key
security.selinux="unconfined_u:object_r:pulp_cert_t:s0"

It's unclear whether /var/lib/pulp/static/rsa_pub.key should exist. See Pulp #2160.

Reproduced on Pulp 2.11 and 2.12 on Fedora 24, RHEL 6.8 and RHEL 7.3. All systems have been installed with pulp_packaging. Sample packages from the Fedora 24 system:

[root@fedora-24-pulp-2-11 ~]# rpm -qa | grep -i pulp | sort
pulp-admin-client-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-docker-admin-extensions-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-docker-plugins-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
pulp-ostree-admin-extensions-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-ostree-plugins-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
pulp-puppet-admin-extensions-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-puppet-plugins-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-rpm-plugins-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
pulp-selinux-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
pulp-server-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-client-lib-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-common-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-docker-common-2.2.1-0.1.alpha.git.13.6ece2f0.fc24.noarch
python-pulp-oid_validation-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-ostree-common-1.2.1-0.1.alpha.git.19.a1a7296.fc24.noarch
python-pulp-puppet-common-2.11.1-0.1.alpha.git.16.7ef210a.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch
python-pulp-rpm-common-2.11.1-0.1.alpha.git.25.5a67288.fc24.noarch
python-pulp-streamer-2.11.1-0.1.alpha.git.51.f9a13a2.fc24.noarch

Also available in: Atom PDF