Issue #3159
closed
Celery AVC Denials on F27
Description
I installed pulp in the same way our automation installs pulp, and ran smash against it. Here are the following avc denials I ran into after smash was complete:
(env) [pcreech@my_machine ansible]$ journalctl -xe | grep denied Nov 30 12:39:56 my_machine audit[4697]: AVC avc: denied { map } for pid=4697 comm="celery" path="/dev/shm/wIb58r" dev="tmpfs" ino=250866 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { read } for pid=5106 comm="celery" name="customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { open } for pid=5106 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1 Nov 30 12:40:10 my_machine audit[5106]: AVC avc: denied { getattr } for pid=5106 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=656003 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
Updated by bmbouter almost 7 years ago
For wheoever goes to fix, we need the Refpol audit2allow statements with it running in Permissive mode. That can be gotten with sudo audit2allow -Ral. Having it in Permissive mode is important otherwise you'll just get the first failure. Also consider just before reproducing the failure reload SELinux with sudo semodule -R so the audit2allow will only show you relavent statements.
In terms of understanding what changed, I asked in #fedora-selinux about what about F27 would be different, but I haven't heard back.
Updated by pcreech almost 7 years ago
Adding audit2allow output
[pcreech@my_machine ~]$ sudo audit2allow -Ral
require {
type celery_t;
type pstore_t;
type qpidd_var_lib_t;
type pulp_var_cache_t;
type qpidd_t;
class file map;
class filesystem getattr;
}
#============= celery_t ==============
allow celery_t pstore_t:filesystem getattr;
allow celery_t pulp_var_cache_t:file map;
dev_getattr_fs(celery_t)
fs_exec_tmpfs_files(celery_t)
fs_getattr_cgroup(celery_t)
fs_getattr_hugetlbfs(celery_t)
kernel_getattr_debugfs(celery_t)
seutil_read_default_contexts(celery_t)
term_getattr_pty_fs(celery_t)
#============= qpidd_t ==============
allow qpidd_t qpidd_var_lib_t:file map;
Updated by bmbouter almost 7 years ago
What version of Pulp is under test with F27 in this issue?
Updated by pcreech almost 7 years ago
This testing is done off the latest builds from master branch
Updated by bmbouter almost 7 years ago
And do F25 and F26 corresponding builds pass and only F27 fails?
Added by werwty almost 7 years ago
Updated by bizhang almost 7 years ago
- Status changed from NEW to POST
- Assignee set to bizhang
Updated by werwty almost 7 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|79429aa4a6127ad0d3dd8a8d8f21eb8dc08c162b.
Added by werwty almost 7 years ago
Revision bd43621b | View on GitHub
Update selinux definitions for qpid so it runs on f27
Added by werwty almost 7 years ago
Revision b840c9e0 | View on GitHub
Update selinux definitions for celery so it runs on f27
closes #3159 https://pulp.plan.io/issues/3159
(cherry picked from commit 79429aa4a6127ad0d3dd8a8d8f21eb8dc08c162b)
Added by werwty almost 7 years ago
Revision 47892afb | View on GitHub
Update selinux definitions for qpid so it runs on f27
re #3159 https://pulp.plan.io/issues/3159
(cherry picked from commit bd43621bb53b0b8e82012d8c96abfd297bbc9dcf)
Updated by werwty almost 7 years ago
Applied in changeset pulp|b840c9e0ac4c9584807b61345286bdb0a2503b64.
Updated by Ichimonji10 almost 7 years ago
- Status changed from MODIFIED to ASSIGNED
SELinux denials still affect Pulp 2.15 beta 3 on Fedora 27. This is known for two reasons:
- Test runs on Jenkins show massive numbers of test failures.
- Test runs on my own personal test VMs also show massive numbers of test failures.
Here's the relevant packages on my test VM:
[root@fedora-27-pulp-2-15-beta ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.0-0.3.beta.fc27.noarch
pulp-deb-admin-extensions-1.6.0-0.2.beta.fc27.noarch
pulp-deb-plugins-1.6.0-0.2.beta.fc27.noarch
pulp-docker-admin-extensions-3.1.0-0.3.beta.fc27.noarch
pulp-docker-plugins-3.1.0-0.3.beta.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-plugins-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-tools-2.15.0-0.2.beta.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.0-0.3.beta.fc27.noarch
pulp-rpm-plugins-2.15.0-0.3.beta.fc27.noarch
pulp-selinux-2.15.0-0.3.beta.fc27.noarch
pulp-server-2.15.0-0.3.beta.fc27.noarch
python-pulp-bindings-2.15.0-0.3.beta.fc27.noarch
python-pulp-client-lib-2.15.0-0.3.beta.fc27.noarch
python-pulp-common-2.15.0-0.3.beta.fc27.noarch
python-pulp-deb-common-1.6.0-0.2.beta.fc27.noarch
python-pulp-docker-common-3.1.0-0.3.beta.fc27.noarch
python-pulp-oid_validation-2.15.0-0.3.beta.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.0-0.2.beta.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.0-0.3.beta.fc27.noarch
python-pulp-rpm-common-2.15.0-0.3.beta.fc27.noarch
python-pulp-streamer-2.15.0-0.3.beta.fc27.noarch
I prepped my system by executing the following:
setenforce 0
echo < /var/log/audit/audit.log
semodule -R
I then executed a test with python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_republish.RemoveOldRepodataTestCase. Here's some of the relevant output:
[root@fedora-27-pulp-2-15-beta ~]# audit2allow -al
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t amqp_port_t:tcp_socket name_connect;
[root@fedora-27-pulp-2-15-beta ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-27-pulp-2-15-beta ~]# cat /var/log/audit/audit.log
type=USER_AVC msg=audit(1515169604.881:8124): pid=685 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=11) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1515169604.884:8125): policy loaded auid=0 ses=6
type=USER_START msg=audit(1515169626.826:8126): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.826:8127): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3910 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1515169626.870:8128): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.872:8129): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3925 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1515169626.915:8130): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169626.916:8131): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=3945 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169626.934:8132): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=AVC msg=audit(1515169627.210:8133): avc: denied { name_connect } for pid=3372 comm="httpd" dest=5672 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket permissive=1
type=USER_START msg=audit(1515169637.851:8134): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169637.852:8135): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4046 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169637.870:8136): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169637.893:8137): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169637.894:8138): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4060 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169637.913:8139): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_END msg=audit(1515169643.648:8140): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169643.717:8141): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169643.718:8142): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4089 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169643.734:8143): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1515169643.749:8144): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1515169643.750:8145): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:37:3e:4d:09:38:f0:b8:21:21:02:57:0c:82:84:b3:42:12:c6:4c:9e:78:36:b0:d6:73:66:0f:7b:a5:e1:0a:42 direction=? spid=4103 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1515169643.769:8146): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_END msg=audit(1515169649.842:8147): pid=2819 uid=0 auid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
Added by werwty almost 7 years ago
Revision d2cd55bc | View on GitHub
Allow httpd access to amqp and mongo ports
Updated by bizhang almost 7 years ago
- Status changed from ASSIGNED to POST
One more PR for selinux:
https://github.com/pulp/pulp/pull/3255
Updated by werwty almost 7 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp|d2cd55bc804aa93a9103f9770e9c9b9181ee94f2.
Added by werwty almost 7 years ago
Revision 7be01fe1 | View on GitHub
Update selinux policies to allow httpd access to squid port
Added by werwty almost 7 years ago
Revision fcba656c | View on GitHub
Update selinux policies to allow httpd access to squid port
re #3159 https://pulp.plan.io/issues/3159
(cherry picked from commit 7be01fe112794840063356a8c321b562c7a9f3b6)
Added by werwty almost 7 years ago
Revision ed9c9e6e | View on GitHub
Allow httpd access to amqp and mongo ports
closes #3159 https://pulp.plan.io/issues/3159
(cherry picked from commit d2cd55bc804aa93a9103f9770e9c9b9181ee94f2)
Updated by werwty almost 7 years ago
Applied in changeset pulp|ed9c9e6e203ec4540bd72b8f14d4ce9d8873f51d.
Updated by pcreech almost 7 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
Update selinux definitions for celery so it runs on f27
closes #3159 https://pulp.plan.io/issues/3159