Project

Profile

Help

Issue #704

Incorrect file transition for celery pid file

Added by lzap@redhat.com over 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Low
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
2.6 Beta
Platform Release:
2.7.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Description of problem:

Celerybeat.pid file has incorrect file label.

Version-Release number of selected component (if applicable):

How reproducible:
Always.

Steps to Reproduce:
1. Install pulp
2. Start
3. Do dry run of restorecon: restorecon -rvn /

Actual results:
...
restorecon reset /var/lib/pulp/celery/celerybeat.pid context system_u:object_r:init_var_lib_t:s0->system_u:object_r:var_lib_t:s0
...

Expected results:
No pulp files are changed.

Additional info:

+ This bug was cloned from Bugzilla Bug #1193794 +

History

#1 Updated by bmbouter over 6 years ago

This bug is related to another selinux BZ.

https://bugzilla.redhat.com/show_bug.cgi?id=1158169

+ This comment was cloned from Bugzilla #1193794 comment 1 +

#2 Updated by dkliban@redhat.com over 6 years ago

I have an F20 box with following packages installed:

pulp-selinux.noarch 2.6.0-0.5.beta.fc20 @pulp-2.6-testing
pulp-server.noarch 2.6.0-0.5.beta.fc20 @pulp-2.6-testing

Here are the labels I am seeing for the celerybeat.pid

[root@pulp-f-20 celery]# ls laZ
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 ..
-rw-r--r-
. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celerybeat.pid

+ This comment was cloned from Bugzilla #1193794 comment 2 +

#3 Updated by bmbouter over 6 years ago

Based on the labels dkliban provided, this does look like a real bug. I see the pid file has httpd_sys_rw_content_t, but it should not have that label.

lzap, two questions for you (or anyone)

1) What label do you expect? Is var_lib_t the right one?

2) Is the right way to fix this with a policy change, or is it an adjustment of this rule [0]?

[0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.fc#L6

+ This comment was cloned from Bugzilla #1193794 comment 3 +

#4 Updated by lzap@redhat.com over 6 years ago

My only expectation is that restorecon does not actually restore. The fix would be to either modify .fc file contexts or to setup a file transition to drop the file with expected label.

On the Fedora box, try to run the restorecon to see what it does.

+ This comment was cloned from Bugzilla #1193794 comment 4 +

#5 Updated by dkliban@redhat.com over 6 years ago

On my fedora box restorecon didn't change anything. The same labels remain.

+ This comment was cloned from Bugzilla #1193794 comment 5 +

#6 Updated by lzap@redhat.com over 6 years ago

Guys, sorry I should clarify this earlier. This is RHEL 7.0. Btw this is low priority - Pulp is operating properly. Cosmetic issue.

+ This comment was cloned from Bugzilla #1193794 comment 6 +

#7 Updated by dkliban@redhat.com over 6 years ago

  • Status changed from ASSIGNED to POST

#8 Updated by dkliban@redhat.com over 6 years ago

  • Status changed from POST to MODIFIED

#9 Updated by bmbouter over 6 years ago

  • Severity changed from Low to 1. Low

#10 Updated by dkliban@redhat.com over 6 years ago

  • Platform Release set to 2.7.0

#11 Updated by dkliban@redhat.com about 6 years ago

  • Status changed from MODIFIED to 5

#12 Updated by amacdona@redhat.com over 5 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#13 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF