Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-19664

Selinux denials are reported after following "Chapter 13. Managing Custom File Type Content" chapter step by step

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 6.13.1
    • Pulp
    • Moderate

      Description of problem:

      If an user of a new Satellite 6.11\6.12\6.13 follows the "Creating a Local Source for a Custom File Type Repository" section from Content Management guide, despite everything is working, auditd will log cosmetic selinux denials on read\open\ioctl actions on the target files.

      If someone has upgraded from Satellite 6.9 to 6.11\6.12\6.13, then the same denials would not be reproducible.

      Version-Release number of selected component (if applicable):

      Satellite 6.11 ( RHEL 7 and RHEL 8 )
      Satellite 6.12
      Satellite 6.13

      How reproducible:

      100%

      Steps to Reproduce and Actual Results:

      1. sestatus
        SELinux status: enabled
        SELinuxfs mount: /sys/fs/selinux
        SELinux root directory: /etc/selinux
        Loaded policy name: targeted
        Current mode: enforcing
        Mode from config file: enforcing
        Policy MLS status: enabled
        Policy deny_unknown status: allowed
        Memory protection checking: actual (secure)
        Max kernel policy version: 33
      1. semanage fcontext -l | grep pulp
        /etc/pulp/certs(/.*)? all files system_u:object_r:httpd_config_t:s0
        /etc/pulp/certs/database_fields.symmetric.key all files system_u:object_r:pulpcore_etc_t:s0
        /etc/pulp/certs/galaxy_signing_service.* all files system_u:object_r:pulpcore_etc_t:s0
        /etc/pulp/certs/token_private_key.pem all files system_u:object_r:pulpcore_etc_t:s0
        /etc/pulp/certs/token_public_key.pem all files system_u:object_r:pulpcore_etc_t:s0
        /etc/pulp/settings.py all files system_u:object_r:pulpcore_etc_t:s0
        /usr/libexec/pulpcore/.* regular file system_u:object_r:pulpcore_exec_t:s0
        /usr/libexec/pulpcore/gunicorn regular file system_u:object_r:pulpcore_server_exec_t:s0
        /usr/local/lib/pulp/bin/gunicorn regular file system_u:object_r:pulpcore_server_exec_t:s0
        /usr/local/lib/pulp/bin/pulpcore-worker regular file system_u:object_r:pulpcore_exec_t:s0
        /usr/local/lib/pulp/bin/rq regular file system_u:object_r:pulpcore_exec_t:s0
        /var/lib/pulp/(media|artifact)(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/.ansible(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/.cache(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/assets(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/devel(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/pulpcore_static(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
        /var/lib/pulp/sign-metadata.sh regular file system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/tmp(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/pulp/upload(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/lib/soe/software(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
        /var/log/galaxy_api_access.log all files system_u:object_r:pulpcore_log_t:s0
        /var/run/pulpcore-(api|content)\.sock all files system_u:object_r:pulpcore_server_var_run_t:s0
        /var/run/pulpcore-api(/.*)? all files system_u:object_r:pulpcore_server_var_run_t:s0
        /var/run/pulpcore-content(/.*)? all files system_u:object_r:pulpcore_server_var_run_t:s0
        /var/run/pulpcore.* all files system_u:object_r:pulpcore_var_run_t:s0
      1. rpm -q python39-pulp_manifest
        python39-pulp_manifest-3.0.0-3.el8pc.noarch
      1. mkdir -p /var/lib/pulp/local_repos/my_file_repo
      1. ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
        drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
      1. satellite-installer --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/pulp/local_repos --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/soe/software
        2023-07-14 07:52:22 [NOTICE] [root] Loading installer configuration. This will take some time.
        ...
        ...

      The full log is at /var/log/foreman-installer/satellite.log
      Package versions are being locked.

      1. cat /etc/pulp/settings.py | grep IMPORT
        ALLOWED_IMPORT_PATHS = ["/var/lib/pulp/sync_imports", "/var/lib/pulp/imports", "/var/lib/pulp/local_repos", "/var/lib/soe/software"]
      1. ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
        drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
      1. restorecon -RFv /var/lib/pulp/local_repos/my_file_repo
        Relabeled /var/lib/pulp/local_repos/my_file_repo from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
      1. ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
        drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
      1. ls -ld /var/lib/pulp/local_repos -Z
        drwxrwx---. 3 pulp pulp system_u:object_r:var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
      1. touch /var/lib/pulp/local_repos/my_file_repo/test.txt
      2. pulp-manifest /var/lib/pulp/local_repos/my_file_repo
      1. ls /var/lib/pulp/local_repos/my_file_repo
        PULP_MANIFEST test.txt
      1. ls -ldZ /var/lib/pulp/local_repos /var/lib/pulp/local_repos/my_file_repo /var/lib/pulp/local_repos/my_file_repo/*
        drwxrwx---. 3 pulp pulp system_u:object_r:var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
        drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 43 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo
        rw-rr-. 1 root root unconfined_u:object_r:var_lib_t:s0 76 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST
        rw-rr-. 1 root root unconfined_u:object_r:var_lib_t:s0 0 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/test.txt
      1. restorecon -RFv /var/lib/pulp/local_repos
        Relabeled /var/lib/pulp/local_repos/my_file_repo/test.txt from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
        Relabeled /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
      1. hammer repository info --name Myfiles --product File --organization RedHat | grep -i -B3 URL
        Red Hat Repository: no
        Content Type: file
        Mirroring Policy: Content Only
        Url: file:///var/lib/pulp/local_repos/my_file_repo

      --> After syncing from UI:

      1. hammer repository info --name Myfiles --product File --organization RedHat | tail -10
        GPG Key:

      Sync:
      Status: Success
      Last Sync Date: 1 minute
      Created: 2023/07/14 11:58:55
      Updated: 2023/07/14 11:58:57
      Content Counts:
      Files: 1

      So, My selinux was always in enforcing mode and even if my sync was successful, I can see these denials

      time->Fri Jul 14 08:00:18 2023
      type=PROCTITLE msg=audit(1689336018.528:4016): proctitle=2F7573722F62696E2F707974686F6E332E39002F7573722F62696E2F70756C70636F72652D776F726B6572
      type=SYSCALL msg=audit(1689336018.528:4016): arch=c000003e syscall=16 success=no exit=-25 a0=e a1=5401 a2=7f97c4ba9bf0 a3=1c3279463920e1 items=0 ppid=44797 pid=45287 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/bin/python3.9" subj=system_u:system_r:pulpcore_t:s0 key=(null)
      type=AVC msg=audit(1689336018.528:4016): avc: denied

      { ioctl }

      for pid=45287 comm="pulpcore-worker" path="/var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST" dev="dm-0" ino=46314752 ioctlcmd=0x5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

      Now, NOTE that,

      • auditd reports the denial as "permissive=1" even though selinux is in enforcing mode.
      • The denial happens as pulpcore_t trying to ioctl access on var_lib_t and that is not allowed.
      1. sesearch -A -s pulpcore_t -p ioctl | grep pulpcore | grep "var_lib"
        allow pulpcore_t pulpcore_server_var_lib_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
        allow pulpcore_t pulpcore_server_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
        allow pulpcore_t pulpcore_var_lib_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }

        ;
        allow pulpcore_t pulpcore_var_lib_t:file

        { append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write }

        ;
        allow pulpcore_t pulpcore_var_lib_t:lnk_file

        { append create getattr ioctl link lock read rename setattr unlink write };


        I would expect it to be var_lib_t only based on this default definition:

        /var/lib(/.*)? all files system_u:object_r:var_lib_t:s0


        Now, To stop the denials, I would have to set up an additional selinux context i.e.

        # semanage fcontext -a -t pulpcore_var_lib_t "/var/lib/pulp/local_repos(/.*)?"

        # restorecon -RFv /var/lib/pulp/local_repos
        Relabeled /var/lib/pulp/local_repos from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
        Relabeled /var/lib/pulp/local_repos/my_file_repo from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
        Relabeled /var/lib/pulp/local_repos/my_file_repo/test.txt from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
        Relabeled /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0

        # ls -ldZ /var/lib/pulp/local_repos /var/lib/pulp/local_repos/my_file_repo /var/lib/pulp/local_repos/my_file_repo/*
        drwxrwx---. 3 pulp pulp system_u:object_r:pulpcore_var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
        drwxr-xr-x. 2 root root system_u:object_r:pulpcore_var_lib_t:s0 43 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo
        rw-rr-. 1 root root system_u:object_r:pulpcore_var_lib_t:s0 76 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST
        rw-rr-. 1 root root system_u:object_r:pulpcore_var_lib_t:s0 0 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/test.txt


        And then no denials would be seen ( whether cosmetic or not ).


        For users upgrading from Satellite 6.9, They would have an additional rule in place which a newly install Sat 6.10\11\12\13 would never have i.e.

        /var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0

        Due to this, Any files created in /var/lib/pulp/local_repos would have httpd_sys_rw_content_t label and since pulpcore_t is allowed to access httpd_sys_rw_content_t, no denials would be logged.

        # sesearch -A -s pulpcore_t -p ioctl | grep http
        allow pulpcore_t httpd_sys_rw_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
        allow pulpcore_t httpd_sys_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
        allow pulpcore_t httpd_sys_rw_content_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink write }

        ;

      Expected results:

      There is no global context set for "/var/lib/pulp(/.*)?" itself.

      If we expect any other custom-hosted content inside /var/lib/pulp should have same context as "/var/lib/pulp/(media|artifact)(/.*)? " i.e.

      /var/lib/pulp/(media|artifact)(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0

      Then add a rule for the same.

      Or else ensure that following is created on any new installations of Satellite 6.11\12\13 as well i.e.

      /var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0

      Additional info:

      I also tried the chapter "Creating a Remote File Type Repository" where we are instructed to expose the context over HTTP by placing the files inside "/var/www/html/pub/".

      For any files created inside /var/www/html/pub/, the context would be "httpd_sys_content_t"

      But as we saw above pulpcore_t cannot access httpd_sys_content_t but it can httpd_sys_rw_content_t

      So i assumed when i will sync the repo, It will give me similar denials but It does not.

      Perhaps that is because we are accessing the file over HTTP and hence the first process that accesses the file would be the webserver i.e. foreman_rails_t and if that is true then it is allowed to access\read\view\ioctl on both httpd_sys_content_t and httpd_sys_content_t

      Anyways, this is just a speculation but perhaps the reason behind no denials could be something different.

            jira-bugzilla-migration RH Bugzilla Integration
            rhn-support-saydas Sayan Das
            Shweta Singh Shweta Singh
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: