Issue #748: Apache httpd getattr denial on RHEL7 after restart of Pulp - Pulp

Network maintenance. Planio will be observing two scheduled maintenance windows this Tuesday, March 2 and Wednesday, March 3 from 02:00 UTC until 06:00 UTC each in order to perform maintenance on access routers in our primary datacenter. Your account might observe short downtimes during these periods up to several minutes at a time.

Send by e-mail

Issue #748

Apache httpd getattr denial on RHEL7 after restart of Pulp

Added by lzap@redhat.com almost 6 years ago. Updated almost 2 years ago.

Status:

CLOSED - WORKSFORME

Priority:

High

Assignee:

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

1. Low

Version:

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2, SELinux

Sprint:

Quarter:

Description

We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts.

RHEL7:

[root@dell-per905-01 ~]# ausearch -m AVC
----
time->Tue Mar 10 22:03:22 2015
type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1426039402.284:509): avc:  denied  { getattr } for  pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

[root@dell-per905-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:var_t:s0       webservices.wsgi

[root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch

No problems on RHEL6:

[root@sgi-xe320-01 ~]# ausearch -m AVC
<no matches>

[root@sgi-xe320-01 ~]# ll /srv/pulp -Z
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi

[root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux
pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1200722

History

#1 Updated by bmbouter almost 6 years ago

Description updated (diff)

#2 Updated by bmbouter almost 6 years ago

Platform Release changed from 2.6.0 to 2.6.1

Moving to 2.6.1 since any regression already would have existed in 2.5.0

#5 Updated by dkliban@redhat.com almost 6 years ago

Status changed from NEW to ASSIGNED
Assignee set to dkliban@redhat.com

#6 Updated by lzap@redhat.com almost 6 years ago

Status changed from ASSIGNED to 7

Not a bug, my misconfiguration in my test environment.

#7 Updated by mhrivnak almost 6 years ago

Platform Release deleted (~~2.6.1~~)

#8 Updated by dkliban@redhat.com almost 6 years ago

Status changed from 7 to NEW
Platform Release set to 2.6.1

We should set the Requires and BuildRequires statements conditionally
for pulp-selinux and with a specified version. This is how foreman
does it [0]. See how they define and use selinux_policy_ver and
selinux_policycoreutils_ver variables.

In addition to that design, they had to revise it for this 7.0 vs 7.1
issue. See this revision they merged [1].

[0]:
https://www.omniref.com/github/theforeman/foreman-packaging/rubygem-ansi-1.4.3-2/files/foreman-selinux/foreman-selinux.spec#line=28

[1]:
https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/merge_requests/13/diffs