Project

Profile

Help

Issue #748

Apache httpd getattr denial on RHEL7 after restart of Pulp

Added by lzap@redhat.com over 5 years ago. Updated over 1 year ago.

Status:
CLOSED - WORKSFORME
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.

RHEL7:

[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc:  denied  { getattr } for  pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       webservices.wsgi

[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch

No problems on RHEL6:

[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>

[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi

[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1200722

History

#1 Updated by bmbouter over 5 years ago

  • Description updated (diff)

#2 Updated by bmbouter over 5 years ago

  • Platform Release changed from 2.6.0 to 2.6.1

Moving to 2.6.1 since any regression already would have existed in 2.5.0

#5 Updated by dkliban@redhat.com over 5 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com

#6 Updated by lzap@redhat.com over 5 years ago

  • Status changed from ASSIGNED to 7

Not a bug, my misconfiguration in my test environment.

#7 Updated by mhrivnak over 5 years ago

  • Platform Release deleted (2.6.1)

#8 Updated by dkliban@redhat.com over 5 years ago

  • Status changed from 7 to NEW
  • Platform Release set to 2.6.1

We should set the Requires and BuildRequires statements conditionally
for pulp-selinux and with a specified version. This is how foreman
does it [0]. See how they define and use selinux_policy_ver and
selinux_policycoreutils_ver variables.

In addition to that design, they had to revise it for this 7.0 vs 7.1
issue. See this revision they merged [1].

[0]:
https://www.omniref.com/github/theforeman/foreman-packaging/rubygem-ansi-1.4.3-2/files/foreman-selinux/foreman-selinux.spec#line=28

[1]:
https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/merge_requests/13/diffs

#9 Updated by bmbouter over 5 years ago

  • Severity changed from Low to 1. Low

#10 Updated by mhrivnak over 5 years ago

  • Priority changed from Normal to High
  • Triaged changed from No to Yes

#11 Updated by cduryee over 5 years ago

  • Status changed from NEW to ASSIGNED

flipping issue to assigned per irc convo w/ dennis

#12 Updated by dkliban@redhat.com over 5 years ago

  • Status changed from ASSIGNED to NEW
  • Assignee deleted (dkliban@redhat.com)

#13 Updated by dkliban@redhat.com over 5 years ago

  • Platform Release changed from 2.6.1 to 2.6.2

#14 Updated by dkliban@redhat.com over 5 years ago

  • Platform Release deleted (2.6.2)

#15 Updated by bmbouter over 4 years ago

  • Parent task set to #1826

#16 Updated by bmbouter over 4 years ago

  • Tags SELinux added

#17 Updated by bmbouter over 4 years ago

  • Parent task deleted (#1826)

#19 Updated by dkliban@redhat.com about 4 years ago

  • Status changed from NEW to CLOSED - WORKSFORME

#20 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF