Issue #564: We have a dontaudit rule on httpd_t for rpm_var_lib_t:dir - RPM Support - Pulp

Actions

Send by e-mail Copy link

Issue #564

closed

We have a dontaudit rule on httpd_t for rpm_var_lib_t:dir

Added by rbarlow about 9 years ago. Updated about 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

High

Assignee:

bmbouter

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

1. Low

Version:

2.4.0

Platform Release:

2.6.2

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

Description of problem:
We have a line [0] in our selinux policy that grants unnecessary and potentially dangerous privilege to the httpd process. This is very likely a holdover from Pulp 1.x days, and I believe it can be safely removed.

Version-Release number of selected component (if applicable):
2.4.0-1

How reproducible:
Every time

Steps to Reproduce:
1. Go to [0].
2. Look for a line that says dontaudit httpd_t rpm_var_lib_t:dir { getattr search open };

Actual results:
That line is there.

Expected results:
That line should not be there.

Additional info:
There might be a better way than looking at github to find out if we have that dontaudit rule, but I am not familiar enough with selinux yet to know. If there is a way to check on an installed system that there isn't a dontaudit rule, that would be a superior test.

[0] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.te#L31

+ This bug was cloned from Bugzilla Bug #1148999 +

Actions

Copy link

Updated by rbarlow about 9 years ago

I think this one is a defect and not a task since it is granting unnecessary privileges.

+ This comment was cloned from Bugzilla #1148999 comment 1 +

Actions

Copy link

Updated by bmbouter about 9 years ago

Severity changed from Low to 1. Low

Actions

Copy link

Updated by bmbouter about 9 years ago

Status changed from NEW to ASSIGNED
Assignee set to bmbouter

Actions

Copy link

Updated by bmbouter about 9 years ago

Description updated (diff)

Attempting to test if removing the dontaudit rules cause avc denial messages like these as described by the reproducer description when the dontaudit rule was added. I'm doing this on EL6 against the 2.6.1 beta.

Added by bmbouter about 9 years ago

Revision e30542c0 | View on GitHub

Removes dontaudit rules from pulp-server SELinux policy

closes #564

Added by bmbouter about 9 years ago

Revision e30542c0 | View on GitHub

Removes dontaudit rules from pulp-server SELinux policy

closes #564

Actions

Copy link

Updated by bmbouter about 9 years ago

Status changed from ASSIGNED to POST
Platform Release set to 2.6.2

I created a fix here [0] which removes the the dontaudit rule. I tested a compiled version of the fix on a fresh RHEL 6.5 system with the 2.6.1 beta, and I didn't see any avc denials at all. I was able to create/sync/delete repos which was the operation that caused denials when these dontaudit rules were initially added.

[0]: https://github.com/pulp/pulp/pull/1765

Actions

Copy link

Updated by bmbouter about 9 years ago

QE, to verify this have SELinux in enforcing mode, and attempt to sync https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/

If it syncs without producing any denials in /var/log/audit/audit.log then VERIFY the bug.

Actions

Copy link

Updated by bmbouter about 9 years ago

Status changed from POST to MODIFIED
% Done changed from 0 to 100

Applied in changeset pulp:pulp|e30542c0285098713b1701d3cbfb94c0123cd0f7.

Actions

Copy link

Updated by dkliban@redhat.com almost 9 years ago

Status changed from MODIFIED to 5

Actions

Copy link

#10

Updated by pthomas@redhat.com almost 9 years ago

Verified

[root@mgmt12 ~]# 
[root@mgmt12 ~]# getenforce
Enforcing

[root@mgmt12 ~]# 
[root@mgmt12 ~]# rpm -qa pulp-server
pulp-server-2.6.2-0.2.beta.el6.noarch
[root@mgmt12 ~]# 
[root@mgmt12 ~]#

 
[root@mgmt12 ~]# 
[root@mgmt12 ~]# pulp-admin rpm repo create --repo-id issue-564 --feed https://repos.fedorapeople.org/repos/pulp/pulp/stable/2.6/6Server/x86_64/
Successfully created repository [issue-564]

[root@mgmt12 ~]# pulp-admin rpm repo sync run --repo-id issue-564
+----------------------------------------------------------------------+
                  Synchronizing Repository [issue-564]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[|]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       75/75 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed

Task Succeeded

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
75 of 75 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[-]
... completed

Publishing Comps file
[==================================================] 100%
7 of 7 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed

Task Succeeded

Actions

Copy link

#11