Project

Profile

Help

Issue #564

We have a dontaudit rule on httpd_t for rpm_var_lib_t:dir

Added by rbarlow almost 7 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
2.4.0
Platform Release:
2.6.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:
We have a line [0] in our selinux policy that grants unnecessary and potentially dangerous privilege to the httpd process. This is very likely a holdover from Pulp 1.x days, and I believe it can be safely removed.

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time

Steps to Reproduce:
1. Go to [0].
2. Look for a line that says dontaudit httpd_t rpm_var_lib_t:dir { getattr search open };

Actual results:
That line is there.

Expected results:
That line should not be there.

Additional info:
There might be a better way than looking at github to find out if we have that dontaudit rule, but I am not familiar enough with selinux yet to know. If there is a way to check on an installed system that there isn't a dontaudit rule, that would be a superior test.

[0] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.te#L31

+ This bug was cloned from Bugzilla Bug #1148999 +

Associated revisions

Revision e30542c0 View on GitHub
Added by bmbouter over 6 years ago

Removes dontaudit rules from pulp-server SELinux policy

closes #564

Revision e30542c0 View on GitHub
Added by bmbouter over 6 years ago

Removes dontaudit rules from pulp-server SELinux policy

closes #564

History

#1 Updated by rbarlow almost 7 years ago

I think this one is a defect and not a task since it is granting unnecessary privileges.

+ This comment was cloned from Bugzilla #1148999 comment 1 +

#2 Updated by bmbouter over 6 years ago

  • Severity changed from Low to 1. Low

#3 Updated by bmbouter over 6 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#4 Updated by bmbouter over 6 years ago

  • Description updated (diff)

Attempting to test if removing the dontaudit rules cause avc denial messages like these as described by the reproducer description when the dontaudit rule was added. I'm doing this on EL6 against the 2.6.1 beta.

#5 Updated by bmbouter over 6 years ago

  • Status changed from ASSIGNED to POST
  • Platform Release set to 2.6.2

I created a fix here [0] which removes the the dontaudit rule. I tested a compiled version of the fix on a fresh RHEL 6.5 system with the 2.6.1 beta, and I didn't see any avc denials at all. I was able to create/sync/delete repos which was the operation that caused denials when these dontaudit rules were initially added.

[0]: https://github.com/pulp/pulp/pull/1765

#6 Updated by bmbouter over 6 years ago

QE, to verify this have SELinux in enforcing mode, and attempt to sync https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/

If it syncs without producing any denials in /var/log/audit/audit.log then VERIFY the bug.

#7 Updated by bmbouter over 6 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#8 Updated by dkliban@redhat.com over 6 years ago

  • Status changed from MODIFIED to 5

#10 Updated by pthomas@redhat.com over 6 years ago

Verified

[root@mgmt12 ~]# 
[root@mgmt12 ~]# getenforce
Enforcing
[root@mgmt12 ~]# 
[root@mgmt12 ~]# rpm -qa pulp-server
pulp-server-2.6.2-0.2.beta.el6.noarch
[root@mgmt12 ~]# 
[root@mgmt12 ~]# 
 
[root@mgmt12 ~]# 
[root@mgmt12 ~]# pulp-admin rpm repo create --repo-id issue-564 --feed https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/
Successfully created repository [issue-564]

[root@mgmt12 ~]# pulp-admin rpm repo sync run --repo-id issue-564
+----------------------------------------------------------------------+
                  Synchronizing Repository [issue-564]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[|]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       75/75 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed

Task Succeeded

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
75 of 75 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[-]
... completed

Publishing Comps file
[==================================================] 100%
7 of 7 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed

Task Succeeded

#11 Updated by pthomas@redhat.com over 6 years ago

  • Status changed from 5 to 6

#12 Updated by dkliban@redhat.com about 6 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#14 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF