Project

Profile

Help

Issue #748

closed

Apache httpd getattr denial on RHEL7 after restart of Pulp

Added by lzap@redhat.com over 7 years ago. Updated over 3 years ago.

Status:
CLOSED - WORKSFORME
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.

RHEL7:

[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc:  denied  { getattr } for  pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       webservices.wsgi

[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch

No problems on RHEL6:

[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>

[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi

[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1200722

Actions #1

Updated by bmbouter over 7 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter over 7 years ago

  • Platform Release changed from 2.6.0 to 2.6.1

Moving to 2.6.1 since any regression already would have existed in 2.5.0

Actions #5

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com
Actions #6

Updated by lzap@redhat.com over 7 years ago

  • Status changed from ASSIGNED to 7

Not a bug, my misconfiguration in my test environment.

Actions #7

Updated by mhrivnak over 7 years ago

  • Platform Release deleted (2.6.1)
Actions #8

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from 7 to NEW
  • Platform Release set to 2.6.1

We should set the Requires and BuildRequires statements conditionally
for pulp-selinux and with a specified version. This is how foreman
does it [0]. See how they define and use selinux_policy_ver and
selinux_policycoreutils_ver variables.

In addition to that design, they had to revise it for this 7.0 vs 7.1
issue. See this revision they merged [1].

[0]:
https://www.omniref.com/github/theforeman/foreman-packaging/rubygem-ansi-1.4.3-2/files/foreman-selinux/foreman-selinux.spec#line=28

[1]:
https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/merge_requests/13/diffs

Actions #9

Updated by bmbouter over 7 years ago

  • Severity changed from Low to 1. Low
Actions #10

Updated by mhrivnak over 7 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes
Actions #11

Updated by cduryee over 7 years ago

  • Status changed from NEW to ASSIGNED

flipping issue to assigned per irc convo w/ dennis

Actions #12

Updated by dkliban@redhat.com over 7 years ago

  • Status changed from ASSIGNED to NEW
  • Assignee deleted (dkliban@redhat.com)
Actions #13

Updated by dkliban@redhat.com over 7 years ago

  • Platform Release changed from 2.6.1 to 2.6.2
Actions #14

Updated by dkliban@redhat.com over 7 years ago

  • Platform Release deleted (2.6.2)
Actions #15

Updated by bmbouter over 6 years ago

  • Parent task set to #1826
Actions #16

Updated by bmbouter over 6 years ago

  • Tags SELinux added
Actions #17

Updated by bmbouter over 6 years ago

  • Parent task deleted (#1826)
Actions #19

Updated by dkliban@redhat.com about 6 years ago

  • Status changed from NEW to CLOSED - WORKSFORME
Actions #20

Updated by bmbouter over 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF