Issue #564
closedWe have a dontaudit rule on httpd_t for rpm_var_lib_t:dir
Description
Description of problem:
We have a line [0] in our selinux policy that grants unnecessary and potentially dangerous privilege to the httpd process. This is very likely a holdover from Pulp 1.x days, and I believe it can be safely removed.
Version-Release number of selected component (if applicable):
2.4.0-1
How reproducible:
Every time
Steps to Reproduce:
1. Go to [0].
2. Look for a line that says dontaudit httpd_t rpm_var_lib_t:dir { getattr search open };
Actual results:
That line is there.
Expected results:
That line should not be there.
Additional info:
There might be a better way than looking at github to find out if we have that dontaudit rule, but I am not familiar enough with selinux yet to know. If there is a way to check on an installed system that there isn't a dontaudit rule, that would be a superior test.
[0] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.te#L31
+ This bug was cloned from Bugzilla Bug #1148999 +
Updated by rbarlow about 9 years ago
I think this one is a defect and not a task since it is granting unnecessary privileges.
+ This comment was cloned from Bugzilla #1148999 comment 1 +
Updated by bmbouter about 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by bmbouter about 9 years ago
- Description updated (diff)
Attempting to test if removing the dontaudit rules cause avc denial messages like these as described by the reproducer description when the dontaudit rule was added. I'm doing this on EL6 against the 2.6.1 beta.
Added by bmbouter about 9 years ago
Added by bmbouter about 9 years ago
Revision e30542c0 | View on GitHub
Removes dontaudit rules from pulp-server SELinux policy
closes #564
Updated by bmbouter about 9 years ago
- Status changed from ASSIGNED to POST
- Platform Release set to 2.6.2
I created a fix here [0] which removes the the dontaudit rule. I tested a compiled version of the fix on a fresh RHEL 6.5 system with the 2.6.1 beta, and I didn't see any avc denials at all. I was able to create/sync/delete repos which was the operation that caused denials when these dontaudit rules were initially added.
Updated by bmbouter about 9 years ago
QE, to verify this have SELinux in enforcing mode, and attempt to sync https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/
If it syncs without producing any denials in /var/log/audit/audit.log then VERIFY the bug.
Updated by bmbouter about 9 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp:pulp|e30542c0285098713b1701d3cbfb94c0123cd0f7.
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from MODIFIED to 5
Updated by pthomas@redhat.com almost 9 years ago
Verified
[root@mgmt12 ~]#
[root@mgmt12 ~]# getenforce
Enforcing
[root@mgmt12 ~]#
[root@mgmt12 ~]# rpm -qa pulp-server
pulp-server-2.6.2-0.2.beta.el6.noarch
[root@mgmt12 ~]#
[root@mgmt12 ~]#
[root@mgmt12 ~]#
[root@mgmt12 ~]# pulp-admin rpm repo create --repo-id issue-564 --feed https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/
Successfully created repository [issue-564]
[root@mgmt12 ~]# pulp-admin rpm repo sync run --repo-id issue-564
+----------------------------------------------------------------------+
Synchronizing Repository [issue-564]
+----------------------------------------------------------------------+
This command may be exited via ctrl+c without affecting the request.
Downloading metadata...
[|]
... completed
Downloading repository content...
[==================================================] 100%
RPMs: 75/75 items
Delta RPMs: 0/0 items
... completed
Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed
Importing errata...
[-]
... completed
Importing package groups/categories...
[-]
... completed
Task Succeeded
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
75 of 75 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[==================================================] 100%
7 of 7 items
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Publishing files to web
[-]
... completed
Writing Listings File
[-]
... completed
Task Succeeded
Updated by dkliban@redhat.com over 8 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Removes dontaudit rules from pulp-server SELinux policy
closes #564