Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-132748

rhc-worker-playbook can't invoke rhc-playbook-verifier

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • selinux-policy
    • None
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      When rhc-worker-playbook attempts to use rhc-playbook-verifier on RHEL 9, an error like this occurs:

      Play digest does not match its signature.
ERROR rhc_playbook_lib.crypto:82 Failed to import key '/var/lib/rhc-playbook-verifier/files-7kmulqd8/key': <GPGCommandResult ok=False return_code=2 stdout= stderr=gpg: failed to create temporary file '/var/lib/rhc-playbook-verifier/gpg-hw0z9v0x/.#lk0x0000555878f7ea00.beech-rhel9-0.rhc.home.arpa.36334': Permission denied
gpg: keyblock resource '/var/lib/rhc-playbook-verifier/gpg-hw0z9v0x/pubring.kbx': Permission denied
gpg: can't open '/var/lib/rhc-playbook-verifier/files-7kmulqd8/key': Permission denied
gpg: Total number processed: 0
>
ERROR rhc_playbook_lib.crypto:265 Signature verification of '/var/lib/rhc-playbook-verifier/files-7kmulqd8/digest' failed.
ERROR rhc_playbook_lib:178 Play content failed to match its digest's signature: b"ordereddict([('name', 'revocation list'), ('timestamp', 1632510092), ('vars', ordereddict([('insights_signature_exclude', '/vars/insights_signature')])), ('revoked_playbooks', [ordereddict([('name', 'template_playbook_dispatcher_ostree_upgrade_payload.yml bb3cb30e'), ('hash', '8ddc7c9fb264aa24d7b3536ecf00272ca143c2ddb14a499cdefab045f3403e9b')]), ordereddict([('name', 'template_playbook_dispatcher_ostree_upgrade_payload.yml d6af8d54'), ('hash', '40a6e9af448208759bc4ef59b6c678227aae9b3f6291c74a4a8767eefc0a401f')])])])".
CRITICAL rhc_playbook_verifier.app:138 Unhandled exception occurred, aborting.

      The error looks like this to an end user:

      This error only occurs when rhc-worker-playbook invokes rhc-playbook-verifier. If I execute rhc-playbook-verifier either as a normal user (cloud-user), or as root, the application behaves correctly.

      This issue is only present when SELinux is enforcing. If I execute setenforce 0, rhc-worker-playbook can call rhc-playbook-verifier.

      Possible work items for this bug:

      • Let rhc-playbook-verifier always use a /tmp/ directory, which avoids SELinux issues.
      • Drop or relax the SELinux policy on rhc-playbook-verifier.

      Note that playbook verification code was moved from insights-core to rhc-playbook-verifier partly to deal with the problematic situation where an unconfined rhc-worker-playbook cannot not call a confined insights-core.

        1. audit_log_ver.txt
          10 kB
        2. ausearch-mmalik.txt
          13 kB
        3. ausearch-varlibmodule.txt
          37 kB
        4. ausearch-zpytela.txt
          13 kB
        5. config-devel-repos.yml
          3 kB
        6. create-rem-test.json
          0.3 kB
        7. rem-execution-history.png
          rem-execution-history.png
          663 kB
        8. verification-error.png
          verification-error.png
          205 kB

              rhn-support-zpytela Zdenek Pytela
              jaudet@redhat.com Jeremy Audet
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: