https://pulp.plan.io/https://pulp.plan.io/favicon.ico2015-02-28T22:38:09ZPulpRPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=12242015-02-28T22:38:09Zrbarlow
<ul></ul><p>I think this one is a defect and not a task since it is granting unnecessary privileges.</p>
<p>+ This comment was cloned from <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1148999#c1" class="external">Bugzilla #1148999 comment 1</a> +</p> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=25322015-03-20T19:13:54Zbmbouterbmbouter@redhat.com
<ul><li><strong>Severity</strong> changed from <i>Low</i> to <i>1. Low</i></li></ul> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=31062015-04-03T12:49:00Zbmbouterbmbouter@redhat.com
<ul><li><strong>Status</strong> changed from <i>NEW</i> to <i>ASSIGNED</i></li><li><strong>Assignee</strong> set to <i>bmbouter</i></li></ul> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=31082015-04-03T13:03:06Zbmbouterbmbouter@redhat.com
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/3108/diff?detail_id=2248">diff</a>)</li></ul><p>Attempting to test if removing the dontaudit rules cause avc denial messages <a href="https://bugzilla.redhat.com/show_bug.cgi?id=784280#c2" class="external">like these</a> as described by the <a href="https://bugzilla.redhat.com/show_bug.cgi?id=784280#c2" class="external">reproducer description</a> when the dontaudit rule was added. I'm doing this on EL6 against the 2.6.1 beta.</p> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=31232015-04-03T19:26:13Zbmbouterbmbouter@redhat.com
<ul><li><strong>Status</strong> changed from <i>ASSIGNED</i> to <i>POST</i></li><li><strong>Platform Release</strong> set to <i>2.6.2</i></li></ul><p>I created a fix here [0] which removes the the dontaudit rule. I tested a compiled version of the fix on a fresh RHEL 6.5 system with the 2.6.1 beta, and I didn't see any avc denials at all. I was able to create/sync/delete repos which was the operation that caused denials when these dontaudit rules were initially added.</p>
<p>[0]: <a href="https://github.com/pulp/pulp/pull/1765" class="external">https://github.com/pulp/pulp/pull/1765</a></p> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=31302015-04-03T20:32:05Zbmbouterbmbouter@redhat.com
<ul></ul><p>QE, to verify this have SELinux in enforcing mode, and attempt to sync <a href="https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/" class="external">https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/</a></p>
<p>If it syncs without producing any denials in /var/log/audit/audit.log then VERIFY the bug.</p> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=31332015-04-06T14:49:39Zbmbouterbmbouter@redhat.com
<ul><li><strong>Status</strong> changed from <i>POST</i> to <i>MODIFIED</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Removes dontaudit rules from pulp-server SELinux policy closes #564" href="https://pulp.plan.io/projects/pulp/repository/pulp/revisions/e30542c0285098713b1701d3cbfb94c0123cd0f7">pulp:pulp|e30542c0285098713b1701d3cbfb94c0123cd0f7</a>.</p> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=44252015-05-19T00:00:54Zdkliban@redhat.com
<ul><li><strong>Status</strong> changed from <i>MODIFIED</i> to <i>5</i></li></ul> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=44992015-05-26T13:05:50Zpthomas@redhat.com
<ul></ul><p>Verified</p>
<pre><code>[root@mgmt12 ~]#
[root@mgmt12 ~]# getenforce
Enforcing
</code></pre>
<pre><code>[root@mgmt12 ~]#
[root@mgmt12 ~]# rpm -qa pulp-server
pulp-server-2.6.2-0.2.beta.el6.noarch
[root@mgmt12 ~]#
[root@mgmt12 ~]#
</code></pre>
<pre><code>
[root@mgmt12 ~]#
[root@mgmt12 ~]# pulp-admin rpm repo create --repo-id issue-564 --feed https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/
Successfully created repository [issue-564]
[root@mgmt12 ~]# pulp-admin rpm repo sync run --repo-id issue-564
+----------------------------------------------------------------------+
Synchronizing Repository [issue-564]
+----------------------------------------------------------------------+
This command may be exited via ctrl+c without affecting the request.
Downloading metadata...
[|]
... completed
Downloading repository content...
[==================================================] 100%
RPMs: 75/75 items
Delta RPMs: 0/0 items
... completed
Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed
Importing errata...
[-]
... completed
Importing package groups/categories...
[-]
... completed
Task Succeeded
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
75 of 75 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[==================================================] 100%
7 of 7 items
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Publishing files to web
[-]
... completed
Writing Listings File
[-]
... completed
Task Succeeded
</code></pre> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=45002015-05-26T13:06:19Zpthomas@redhat.com
<ul><li><strong>Status</strong> changed from <i>5</i> to <i>6</i></li></ul> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=66612015-10-20T03:32:59Zdkliban@redhat.com
<ul><li><strong>Status</strong> changed from <i>6</i> to <i>CLOSED - CURRENTRELEASE</i></li></ul> RPM Support - Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dirhttps://pulp.plan.io/issues/564?journal_id=402792019-04-15T21:09:01Zbmbouterbmbouter@redhat.com
<ul><li><strong>Tags</strong> <i>Pulp 2</i> added</li></ul>