Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #8993

open

SELinux: avc: denied pulpcore-worker on Fedora 34

Added by StephenW over 3 years ago. Updated over 3 years ago.

Status:
NEW
Priority:
Normal
Assignee:
mdepaulo@redhat.com
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:
Quarter:

Description

Hello

I installed Pulp3 on Fedora 34 using "ansible-galaxy collection install pulp.pulp_installer"

at the end of the Ansible run: TASK [pulp.pulp_installer.pulp_health_check : Checking Pulp services] msg: 'pulpcore-resource-manager.service state: stopped'

On the managed node, I see lots of avc: denied :

fedoraserver ~]# ausearch -m AVC,USER_AVC -ts recent

time->Tue Jun 29 15:59:06 2021 type=AVC msg=audit(1624975146.441:668194): avc: denied { name_connect } for pid=1129665 comm="pulpcore-worker" dest=6379 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:redis_port_t:s0 tclass=tcp_socket permissive=0

fedoraserver ~]# sepolgen-ifgen fedoraserver ~]# audit2allow -Ral

require { type init_t; }

#============= init_t ============== corenet_tcp_connect_postgresql_port(init_t) corenet_tcp_connect_redis_port(init_t)

Thank you

Actions
Copy link
 #1

Updated by dalley over 3 years ago

Here's a few more I saw the other day when vagrant-upping a Centos7 migration plugin testing box

ok: [pulp2-nightly-pulp3-source-centos7] => {
    "selinux_analyze.stdout_lines": [
        "SELinux is preventing /usr/bin/mongod from read access on the file netstat.",
        "SELinux is preventing /usr/bin/python3.6 from search access on the directory /.",
        "SELinux is preventing /usr/bin/python3.6 from read access on the directory app.",
        "SELinux is preventing /usr/bin/python3.6 from getattr access on the directory /home/vagrant.",
        "SELinux is preventing /usr/bin/python3.6 from read access on the file __init__.cpython-36.pyc.",
        "SELinux is preventing /usr/bin/python3.6 from getattr access on the file /home/vagrant/devel/pulpcore/pulpcore/app/__init__.py.",
        "SELinux is preventing /usr/bin/python3.6 from ioctl access on the file /home/vagrant/devel/pulpcore/pulpcore.egg-info/entry_points.txt.",
        "SELinux is preventing /usr/bin/python3.6 from write access on the directory __pycache__.",
        "SELinux is preventing /usr/bin/python3.6 from remove_name access on the directory handler.cpython-36.pyc.140291204066680.",
        "SELinux is preventing /usr/bin/python3.6 from getattr access on the directory /home/vagrant/devel/pulpcore."
    ]
}
Actions
Copy link
 #2

Updated by dalley over 3 years ago

More warnings that get printed when vagrant up-ing on Fedora 34

    "selinux_analyze.stdout_lines": [
        "SELinux is preventing gunicorn from search access on the directory vagrant.",
        "SELinux is preventing gunicorn from search access on the directory /.",
        "SELinux is preventing gunicorn from getattr access on the directory /home/vagrant/devel/pulpcore.",
        "SELinux is preventing gunicorn from read access on the directory models.",
        "SELinux is preventing gunicorn from open access on the directory /home/vagrant/devel/pulpcore/pulpcore/app/models.",
        "SELinux is preventing gunicorn from getattr access on the directory /home/vagrant.",
        "SELinux is preventing gunicorn from getattr access on the file /home/vagrant/devel/pulpcore/pulpcore/content/__init__.py.",
        "SELinux is preventing gunicorn from read access on the file __init__.cpython-39.pyc.",
        "SELinux is preventing gunicorn from open access on the file /home/vagrant/devel/pulp_file/pulp_file/app/__pycache__/__init__.cpython-39.pyc.",
        "SELinux is preventing gunicorn from ioctl access on the file /home/vagrant/devel/pulp_file/pulp_file/app/__pycache__/__init__.cpython-39.pyc.",
        "SELinux is preventing gunicorn from write access on the directory __pycache__.",
        "SELinux is preventing gunicorn from add_name access on the directory handler.cpython-39.pyc.139718123230096.",
        "SELinux is preventing gunicorn from create access on the file handler.cpython-39.pyc.139718123230096.",
        "SELinux is preventing gunicorn from write access on the file /home/vagrant/devel/pulpcore/pulpcore/content/__pycache__/handler.cpython-39.pyc.139718123230096.",
        "SELinux is preventing gunicorn from remove_name access on the directory handler.cpython-39.pyc.139718123230096.",
        "SELinux is preventing gunicorn from rename access on the file handler.cpython-39.pyc.139718123230096.",
        "SELinux is preventing gunicorn from unlink access on the file handler.cpython-39.pyc.",
        "SELinux is preventing pulpcore-worker from read access on the file comps.cpython-39.pyc.",
        "SELinux is preventing pulpcore-worker from open access on the file /home/vagrant/devel/pulp_rpm/pulp_rpm/app/__pycache__/comps.cpython-39.pyc.",
        "SELinux is preventing pulpcore-worker from ioctl access on the file /home/vagrant/devel/pulp_rpm/pulp_rpm/app/__pycache__/comps.cpython-39.pyc.",
        "SELinux is preventing pulpcore-worker from create access on the file pulpcore_worker.cpython-39.pyc.140079684106400.",
        "SELinux is preventing pulpcore-worker from write access on the file /home/vagrant/devel/pulpcore/pulpcore/tasking/__pycache__/pulpcore_worker.cpython-39.pyc.140079684106400.",
        "SELinux is preventing pulpcore-worker from rename access on the file pulpcore_worker.cpython-39.pyc.140079684106400.",
        "SELinux is preventing pulpcore-worker from unlink access on the file pulpcore_worker.cpython-39.pyc.",
        "SELinux is preventing pulpcore-worker from name_connect access on the tcp_socket port 5432.",
        "SELinux is preventing pulpcore-worker from add_name access on the directory 41457@pulp3-source-fedora33.localhost.example.com.",
        "SELinux is preventing pulpcore-worker from remove_name access on the directory 41145@pulp3-source-fedora33.localhost.example.com.",
        "SELinux is preventing pulpcore-worker from rmdir access on the directory 41145@pulp3-source-fedora33.localhost.example.com."
    ]
}
Actions
Copy link
 #3

Updated by mdepaulo@redhat.com over 3 years ago

  • Assignee set to dkliban@redhat.com
  • Triaged changed from No to Yes
Actions
Copy link
 #4

Updated by StephenW over 3 years ago

Hello

Same issue on Centos8

time->Tue Aug 31 15:34:12 2021 type=PROCTITLE msg=audit(1630438452.610:131888): proctitle=2F7573722F6C6F63616C2F6C69622F70756C702F62696E2F707974686F6E33002F7573722F6C6F63616C2F6C69622F70756C702F62696E2F70756C70636F72652D776F726B6572 type=SYSCALL msg=audit(1630438452.610:131888): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=559d05749530 a2=10 a3=7fffc7974f58 items=0 ppid=1 pid=410901 auid=4294967295 uid=988 gid=984 euid=988 suid=988 fsuid=988 egid=984 sgid=984 fsgid=984 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1630438452.610:131888): avc: denied { name_connect } for pid=410901 comm="pulpcore-worker" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0

[root@centos8 ~]# sepolgen-ifgen
[root@centos8 ~]# audit2allow -Ral

require {
	type init_t;
}

#============= init_t ==============
corenet_tcp_connect_postgresql_port(init_t)
corenet_tcp_connect_redis_port(init_t)
[root@centos8 ~]#
Actions
Copy link
 #5

Updated by mdepaulo@redhat.com over 3 years ago

  • Assignee changed from dkliban@redhat.com to mdepaulo@redhat.com
Actions
Send by e-mail Copy link

Also available in: Atom PDF