Issue #748
Updated by bmbouter about 9 years ago
We see denial during pulp restart on RHEL7. It looks like wsgi files are not given correct file contexts. RHEL7: <pre> [root@dell-per905-01 ~]# ausearch -m AVC ---- time->Tue Mar 10 22:03:22 2015 type=SYSCALL msg=audit(1426039402.284:509): arch=c000003e syscall=6 success=no exit=-13 a0=7f1c6c0d1478 a1=7fffc7451ac0 a2=7fffc7451ac0 a3=0 items=0 ppid=2534 pid=2616 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1426039402.284:509): avc: denied { getattr } for pid=2616 comm="httpd" path="/srv/pulp/webservices.wsgi" dev="dm-1" ino=1965416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file [root@dell-per905-01 ~]# ll /srv/pulp -Z -rw-r--r--. root root system_u:object_r:var_t:s0 puppet_forge_post33_api.wsgi -rw-r--r--. root root system_u:object_r:var_t:s0 puppet_forge_pre33_api.wsgi -rw-r--r--. root root system_u:object_r:var_t:s0 repo_auth.wsgi -rw-r--r--. root root system_u:object_r:var_t:s0 webservices.wsgi [root@dell-per905-01 ~]# rpm -qa | grep pulp-selinux pulp-selinux-2.6.0-0.7.beta.1.el7sat.noarch No problems on RHEL6: [root@sgi-xe320-01 ~]# ausearch -m AVC <no matches> [root@sgi-xe320-01 ~]# ll /srv/pulp -Z -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_post33_api.wsgi -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 puppet_forge_pre33_api.wsgi -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi -rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi [root@sgi-xe320-01 ~]# rpm -qa | grep pulp-selinux pulp-selinux-2.6.0-0.7.beta.1.el6_6sat.noarch </pre> Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1200722