Issue #704
closedIncorrect file transition for celery pid file
Description
Description of problem:
Celerybeat.pid file has incorrect file label.
Version-Release number of selected component (if applicable):
How reproducible:
Always.
Steps to Reproduce:
1. Install pulp
2. Start
3. Do dry run of restorecon: restorecon -rvn /
Actual results:
...
restorecon reset /var/lib/pulp/celery/celerybeat.pid context system_u:object_r:init_var_lib_t:s0->system_u:object_r:var_lib_t:s0
...
Expected results:
No pulp files are changed.
Additional info:
+ This bug was cloned from Bugzilla Bug #1193794 +
Updated by bmbouter about 9 years ago
This bug is related to another selinux BZ.
https://bugzilla.redhat.com/show_bug.cgi?id=1158169
+ This comment was cloned from Bugzilla #1193794 comment 1 +
Updated by dkliban@redhat.com about 9 years ago
I have an F20 box with following packages installed:
pulp-selinux.noarch 2.6.0-0.5.beta.fc20 @pulp-2.6-testing
pulp-server.noarch 2.6.0-0.5.beta.fc20 @pulp-2.6-testing
Here are the labels I am seeing for the celerybeat.pid
[root@pulp-f-20 celery]# ls laZ. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 celerybeat.pid
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 ..
-rw-r--r-
+ This comment was cloned from Bugzilla #1193794 comment 2 +
Updated by bmbouter about 9 years ago
Based on the labels dkliban provided, this does look like a real bug. I see the pid file has httpd_sys_rw_content_t, but it should not have that label.
lzap, two questions for you (or anyone)
1) What label do you expect? Is var_lib_t the right one?
2) Is the right way to fix this with a policy change, or is it an adjustment of this rule [0]?
[0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.fc#L6
+ This comment was cloned from Bugzilla #1193794 comment 3 +
Updated by lzap@redhat.com about 9 years ago
My only expectation is that restorecon does not actually restore. The fix would be to either modify .fc file contexts or to setup a file transition to drop the file with expected label.
On the Fedora box, try to run the restorecon to see what it does.
+ This comment was cloned from Bugzilla #1193794 comment 4 +
Updated by dkliban@redhat.com about 9 years ago
On my fedora box restorecon didn't change anything. The same labels remain.
+ This comment was cloned from Bugzilla #1193794 comment 5 +
Updated by lzap@redhat.com about 9 years ago
Guys, sorry I should clarify this earlier. This is RHEL 7.0. Btw this is low priority - Pulp is operating properly. Cosmetic issue.
+ This comment was cloned from Bugzilla #1193794 comment 6 +
Updated by dkliban@redhat.com about 9 years ago
- Status changed from ASSIGNED to POST
Updated by dkliban@redhat.com about 9 years ago
- Status changed from POST to MODIFIED
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from MODIFIED to 5
Updated by amacdona@redhat.com over 8 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE