Project

Profile

Help

Issue #3159

closed

Celery AVC Denials on F27

Added by pcreech almost 7 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
2.15.1
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

I installed pulp in the same way our automation installs pulp, and ran smash against it. Here are the following avc denials I ran into after smash was complete:

(env) [pcreech@my_machine ansible]$ journalctl -xe | grep denied Nov 30 12:39:56 my_machine audit[4697]: AVC avc: denied { map } for pid=4697 comm="celery" path="/dev/shm/wIb58r" dev="tmpfs" ino=250866 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { read } for pid=5106 comm="celery" name="customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { open } for pid=5106 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { getattr } for pid=5106 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1

Actions #1

Updated by bmbouter almost 7 years ago

For wheoever goes to fix, we need the Refpol audit2allow statements with it running in Permissive mode. That can be gotten with sudo audit2allow -Ral. Having it in Permissive mode is important otherwise you'll just get the first failure. Also consider just before reproducing the failure reload SELinux with sudo semodule -R so the audit2allow will only show you relavent statements.

In terms of understanding what changed, I asked in #fedora-selinux about what about F27 would be different, but I haven't heard back.

Actions #2

Updated by pcreech almost 7 years ago

Adding audit2allow output


[pcreech@my_machine ~]$ sudo audit2allow -Ral

require {
    type celery_t;
    type pstore_t;
    type qpidd_var_lib_t;
    type pulp_var_cache_t;
    type qpidd_t;
    class file map;
    class filesystem getattr;
}

#============= celery_t ==============
allow celery_t pstore_t:filesystem getattr;
allow celery_t pulp_var_cache_t:file map;
dev_getattr_fs(celery_t)
fs_exec_tmpfs_files(celery_t)
fs_getattr_cgroup(celery_t)
fs_getattr_hugetlbfs(celery_t)
kernel_getattr_debugfs(celery_t)
seutil_read_default_contexts(celery_t)
term_getattr_pty_fs(celery_t)

#============= qpidd_t ==============
allow qpidd_t qpidd_var_lib_t:file map;
Actions #3

Updated by bmbouter almost 7 years ago

What version of Pulp is under test with F27 in this issue?

Actions #4

Updated by pcreech almost 7 years ago

This testing is done off the latest builds from master branch

Actions #5

Updated by bmbouter almost 7 years ago

And do F25 and F26 corresponding builds pass and only F27 fails?

Actions #6

Updated by pcreech almost 7 years ago

That would be a correct statement

Added by werwty almost 7 years ago

Revision 79429aa4 | View on GitHub

Update selinux definitions for celery so it runs on f27

closes #3159 https://pulp.plan.io/issues/3159

Actions #7

Updated by bizhang almost 7 years ago

  • Status changed from NEW to POST
  • Assignee set to bizhang
Actions #8

Updated by werwty almost 7 years ago

  • Status changed from POST to MODIFIED

Added by werwty almost 7 years ago

Revision bd43621b | View on GitHub

Update selinux definitions for qpid so it runs on f27

re #3159 https://pulp.plan.io/issues/3159

Added by werwty almost 7 years ago

Revision b840c9e0 | View on GitHub

Update selinux definitions for celery so it runs on f27

closes #3159 https://pulp.plan.io/issues/3159

(cherry picked from commit 79429aa4a6127ad0d3dd8a8d8f21eb8dc08c162b)

Added by werwty almost 7 years ago

Revision 47892afb | View on GitHub

Update selinux definitions for qpid so it runs on f27

re #3159 https://pulp.plan.io/issues/3159

(cherry picked from commit bd43621bb53b0b8e82012d8c96abfd297bbc9dcf)

Actions #10

Updated by Ichimonji10 almost 7 years ago

  • Status changed from MODIFIED to ASSIGNED

SELinux denials still affect Pulp 2.15 beta 3 on Fedora 27. This is known for two reasons:

  • Test runs on Jenkins show massive numbers of test failures.
  • Test runs on my own personal test VMs also show massive numbers of test failures.

Here's the relevant packages on my test VM:

[root@fedora-27-pulp-2-15-beta ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.0-0.3.beta.fc27.noarch
pulp-deb-admin-extensions-1.6.0-0.2.beta.fc27.noarch
pulp-deb-plugins-1.6.0-0.2.beta.fc27.noarch
pulp-docker-admin-extensions-3.1.0-0.3.beta.fc27.noarch
pulp-docker-plugins-3.1.0-0.3.beta.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-plugins-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-tools-2.15.0-0.2.beta.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.0-0.3.beta.fc27.noarch
pulp-rpm-plugins-2.15.0-0.3.beta.fc27.noarch
pulp-selinux-2.15.0-0.3.beta.fc27.noarch
pulp-server-2.15.0-0.3.beta.fc27.noarch
python-pulp-bindings-2.15.0-0.3.beta.fc27.noarch
python-pulp-client-lib-2.15.0-0.3.beta.fc27.noarch
python-pulp-common-2.15.0-0.3.beta.fc27.noarch
python-pulp-deb-common-1.6.0-0.2.beta.fc27.noarch
python-pulp-docker-common-3.1.0-0.3.beta.fc27.noarch
python-pulp-oid_validation-2.15.0-0.3.beta.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.0-0.2.beta.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.0-0.3.beta.fc27.noarch
python-pulp-rpm-common-2.15.0-0.3.beta.fc27.noarch
python-pulp-streamer-2.15.0-0.3.beta.fc27.noarch

I prepped my system by executing the following:

setenforce 0
echo < /var/log/audit/audit.log
semodule -R

I then executed a test with python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_republish.RemoveOldRepodataTestCase. Here's some of the relevant output:

[root@fedora-27-pulp-2-15-beta ~]# audit2allow -al

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t amqp_port_t:tcp_socket name_connect;
[root@fedora-27-pulp-2-15-beta ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-27-pulp-2-15-beta ~]# cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1515169604.881:8124): pid=685 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=11)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1515169604.884:8125): policy loaded auid=0 ses=6
type=USER_START msg=audit(1515169626.826:8126): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.826:8127): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3910 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1515169626.870:8128): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.872:8129): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3925 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1515169626.915:8130): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.916:8131): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3945 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169626.934:8132): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=AVC msg=audit(1515169627.210:8133): avc:  denied  { name_connect } for  pid=3372 comm="httpd" dest=5672 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket permissive=1
type=USER_START msg=audit(1515169637.851:8134): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169637.852:8135): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4046 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169637.870:8136): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169637.893:8137): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169637.894:8138): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4060 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169637.913:8139): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_END msg=audit(1515169643.648:8140): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169643.717:8141): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169643.718:8142): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4089 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169643.734:8143): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169643.749:8144): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169643.750:8145): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4103 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169643.769:8146): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_END msg=audit(1515169649.842:8147): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'

Added by werwty almost 7 years ago

Revision d2cd55bc | View on GitHub

Allow httpd access to amqp and mongo ports

closes #3159 https://pulp.plan.io/issues/3159

Actions #11

Updated by bizhang almost 7 years ago

  • Status changed from ASSIGNED to POST
Actions #12

Updated by werwty almost 7 years ago

  • Status changed from POST to MODIFIED

Added by werwty almost 7 years ago

Revision 7be01fe1 | View on GitHub

Update selinux policies to allow httpd access to squid port

re #3159 https://pulp.plan.io/issues/3159

Added by werwty almost 7 years ago

Revision fcba656c | View on GitHub

Update selinux policies to allow httpd access to squid port

re #3159 https://pulp.plan.io/issues/3159

(cherry picked from commit 7be01fe112794840063356a8c321b562c7a9f3b6)

Actions #13

Updated by pcreech almost 7 years ago

  • Platform Release set to 2.15.1

Added by werwty almost 7 years ago

Revision ed9c9e6e | View on GitHub

Allow httpd access to amqp and mongo ports

closes #3159 https://pulp.plan.io/issues/3159

(cherry picked from commit d2cd55bc804aa93a9103f9770e9c9b9181ee94f2)

Actions #15

Updated by pcreech almost 7 years ago

  • Status changed from MODIFIED to 5
Actions #16

Updated by pcreech almost 7 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #17

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF