Issue #748
closedApache httpd getattr denial on RHEL7 after restart of Pulp
Description
We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.
RHEL7:
[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc: denied { getattr } for pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0 webservices.wsgi
[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch
No problems on RHEL6:
[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>
[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1200722
Updated by bmbouter over 8 years ago
- Platform Release changed from 2.6.0 to 2.6.1
Moving to 2.6.1 since any regression already would have existed in 2.5.0
Updated by dkliban@redhat.com over 8 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to dkliban@redhat.com
Updated by lzap@redhat.com over 8 years ago
- Status changed from ASSIGNED to 7
Not a bug, my misconfiguration in my test environment.
Updated by dkliban@redhat.com over 8 years ago
- Status changed from 7 to NEW
- Platform Release set to 2.6.1
We should set the Requires and BuildRequires statements conditionally
for pulp-selinux and with a specified version. This is how foreman
does it [0]. See how they define and use selinux_policy_ver and
selinux_policycoreutils_ver variables.
In addition to that design, they had to revise it for this 7.0 vs 7.1
issue. See this revision they merged [1].
[1]:
https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/merge_requests/13/diffs
Updated by mhrivnak over 8 years ago
- Priority changed from Normal to High
- Triaged changed from No to Yes
Updated by cduryee over 8 years ago
- Status changed from NEW to ASSIGNED
flipping issue to assigned per irc convo w/ dennis
Updated by dkliban@redhat.com over 8 years ago
- Status changed from ASSIGNED to NEW
- Assignee deleted (
dkliban@redhat.com)
Updated by dkliban@redhat.com over 8 years ago
- Platform Release changed from 2.6.1 to 2.6.2
Updated by dkliban@redhat.com over 8 years ago
- Platform Release deleted (
2.6.2)
Updated by dkliban@redhat.com about 7 years ago
- Status changed from NEW to CLOSED - WORKSFORME