-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
6.13.1
-
False
-
-
False
-
ASSIGNED
-
2,150
-
True
-
-
-
Moderate
Description of problem:
If an user of a new Satellite 6.11\6.12\6.13 follows the "Creating a Local Source for a Custom File Type Repository" section from Content Management guide, despite everything is working, auditd will log cosmetic selinux denials on read\open\ioctl actions on the target files.
If someone has upgraded from Satellite 6.9 to 6.11\6.12\6.13, then the same denials would not be reproducible.
Version-Release number of selected component (if applicable):
Satellite 6.11 ( RHEL 7 and RHEL 8 )
Satellite 6.12
Satellite 6.13
How reproducible:
100%
Steps to Reproduce and Actual Results:
- sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
- semanage fcontext -l | grep pulp
/etc/pulp/certs(/.*)? all files system_u:object_r:httpd_config_t:s0
/etc/pulp/certs/database_fields.symmetric.key all files system_u:object_r:pulpcore_etc_t:s0
/etc/pulp/certs/galaxy_signing_service.* all files system_u:object_r:pulpcore_etc_t:s0
/etc/pulp/certs/token_private_key.pem all files system_u:object_r:pulpcore_etc_t:s0
/etc/pulp/certs/token_public_key.pem all files system_u:object_r:pulpcore_etc_t:s0
/etc/pulp/settings.py all files system_u:object_r:pulpcore_etc_t:s0
/usr/libexec/pulpcore/.* regular file system_u:object_r:pulpcore_exec_t:s0
/usr/libexec/pulpcore/gunicorn regular file system_u:object_r:pulpcore_server_exec_t:s0
/usr/local/lib/pulp/bin/gunicorn regular file system_u:object_r:pulpcore_server_exec_t:s0
/usr/local/lib/pulp/bin/pulpcore-worker regular file system_u:object_r:pulpcore_exec_t:s0
/usr/local/lib/pulp/bin/rq regular file system_u:object_r:pulpcore_exec_t:s0
/var/lib/pulp/(media|artifact)(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/.ansible(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/.cache(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/assets(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/devel(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/pulpcore_static(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
/var/lib/pulp/sign-metadata.sh regular file system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/tmp(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/pulp/upload(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/lib/soe/software(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
/var/log/galaxy_api_access.log all files system_u:object_r:pulpcore_log_t:s0
/var/run/pulpcore-(api|content)\.sock all files system_u:object_r:pulpcore_server_var_run_t:s0
/var/run/pulpcore-api(/.*)? all files system_u:object_r:pulpcore_server_var_run_t:s0
/var/run/pulpcore-content(/.*)? all files system_u:object_r:pulpcore_server_var_run_t:s0
/var/run/pulpcore.* all files system_u:object_r:pulpcore_var_run_t:s0
- rpm -q python39-pulp_manifest
python39-pulp_manifest-3.0.0-3.el8pc.noarch
- mkdir -p /var/lib/pulp/local_repos/my_file_repo
- ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
- satellite-installer --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/pulp/local_repos --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/soe/software
2023-07-14 07:52:22 [NOTICE] [root] Loading installer configuration. This will take some time.
...
...
The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.
- cat /etc/pulp/settings.py | grep IMPORT
ALLOWED_IMPORT_PATHS = ["/var/lib/pulp/sync_imports", "/var/lib/pulp/imports", "/var/lib/pulp/local_repos", "/var/lib/soe/software"]
- ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
drwxr-xr-x. 2 root root unconfined_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
- restorecon -RFv /var/lib/pulp/local_repos/my_file_repo
Relabeled /var/lib/pulp/local_repos/my_file_repo from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
- ls -ld /var/lib/pulp/local_repos/my_file_repo -Z
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 6 Jul 14 07:44 /var/lib/pulp/local_repos/my_file_repo
- ls -ld /var/lib/pulp/local_repos -Z
drwxrwx---. 3 pulp pulp system_u:object_r:var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
- touch /var/lib/pulp/local_repos/my_file_repo/test.txt
- pulp-manifest /var/lib/pulp/local_repos/my_file_repo
- ls /var/lib/pulp/local_repos/my_file_repo
PULP_MANIFEST test.txt
- ls -ldZ /var/lib/pulp/local_repos /var/lib/pulp/local_repos/my_file_repo /var/lib/pulp/local_repos/my_file_repo/*
drwxrwx---. 3 pulp pulp system_u:object_r:var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
drwxr-xr-x. 2 root root system_u:object_r:var_lib_t:s0 43 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo
rw-rr-. 1 root root unconfined_u:object_r:var_lib_t:s0 76 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST
rw-rr-. 1 root root unconfined_u:object_r:var_lib_t:s0 0 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/test.txt
- restorecon -RFv /var/lib/pulp/local_repos
Relabeled /var/lib/pulp/local_repos/my_file_repo/test.txt from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST from unconfined_u:object_r:var_lib_t:s0 to system_u:object_r:var_lib_t:s0
- hammer repository info --name Myfiles --product File --organization RedHat | grep -i -B3 URL
Red Hat Repository: no
Content Type: file
Mirroring Policy: Content Only
Url: file:///var/lib/pulp/local_repos/my_file_repo
--> After syncing from UI:
- hammer repository info --name Myfiles --product File --organization RedHat | tail -10
GPG Key:
Sync:
Status: Success
Last Sync Date: 1 minute
Created: 2023/07/14 11:58:55
Updated: 2023/07/14 11:58:57
Content Counts:
Files: 1
So, My selinux was always in enforcing mode and even if my sync was successful, I can see these denials
time->Fri Jul 14 08:00:18 2023
type=PROCTITLE msg=audit(1689336018.528:4016): proctitle=2F7573722F62696E2F707974686F6E332E39002F7573722F62696E2F70756C70636F72652D776F726B6572
type=SYSCALL msg=audit(1689336018.528:4016): arch=c000003e syscall=16 success=no exit=-25 a0=e a1=5401 a2=7f97c4ba9bf0 a3=1c3279463920e1 items=0 ppid=44797 pid=45287 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/bin/python3.9" subj=system_u:system_r:pulpcore_t:s0 key=(null)
type=AVC msg=audit(1689336018.528:4016): avc: denied
for pid=45287 comm="pulpcore-worker" path="/var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST" dev="dm-0" ino=46314752 ioctlcmd=0x5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
Now, NOTE that,
- auditd reports the denial as "permissive=1" even though selinux is in enforcing mode.
- The denial happens as pulpcore_t trying to ioctl access on var_lib_t and that is not allowed.
- sesearch -A -s pulpcore_t -p ioctl | grep pulpcore | grep "var_lib"
allow pulpcore_t pulpcore_server_var_lib_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
allow pulpcore_t pulpcore_server_var_lib_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow pulpcore_t pulpcore_var_lib_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
{ append create execute execute_no_trans getattr ioctl link lock map open read rename setattr unlink write }
allow pulpcore_t pulpcore_var_lib_t:file;
{ append create getattr ioctl link lock read rename setattr unlink write };
allow pulpcore_t pulpcore_var_lib_t:lnk_file
I would expect it to be var_lib_t only based on this default definition:
/var/lib(/.*)? all files system_u:object_r:var_lib_t:s0
Now, To stop the denials, I would have to set up an additional selinux context i.e.
# semanage fcontext -a -t pulpcore_var_lib_t "/var/lib/pulp/local_repos(/.*)?"
# restorecon -RFv /var/lib/pulp/local_repos
Relabeled /var/lib/pulp/local_repos from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Relabeled /var/lib/pulp/local_repos/my_file_repo from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Relabeled /var/lib/pulp/local_repos/my_file_repo/test.txt from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
Relabeled /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST from system_u:object_r:var_lib_t:s0 to system_u:object_r:pulpcore_var_lib_t:s0
# ls -ldZ /var/lib/pulp/local_repos /var/lib/pulp/local_repos/my_file_repo /var/lib/pulp/local_repos/my_file_repo/*
drwxrwx---. 3 pulp pulp system_u:object_r:pulpcore_var_lib_t:s0 26 Jul 14 07:44 /var/lib/pulp/local_repos
drwxr-xr-x. 2 root root system_u:object_r:pulpcore_var_lib_t:s0 43 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo
rw-rr-. 1 root root system_u:object_r:pulpcore_var_lib_t:s0 76 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/PULP_MANIFEST
rw-rr-. 1 root root system_u:object_r:pulpcore_var_lib_t:s0 0 Jul 14 07:50 /var/lib/pulp/local_repos/my_file_repo/test.txt
And then no denials would be seen ( whether cosmetic or not ).
For users upgrading from Satellite 6.9, They would have an additional rule in place which a newly install Sat 6.10\11\12\13 would never have i.e.
/var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
Due to this, Any files created in /var/lib/pulp/local_repos would have httpd_sys_rw_content_t label and since pulpcore_t is allowed to access httpd_sys_rw_content_t, no denials would be logged.
# sesearch -A -s pulpcore_t -p ioctl | grep http
allow pulpcore_t httpd_sys_rw_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };
allow pulpcore_t httpd_sys_rw_content_t:file { append create getattr ioctl link lock open read rename setattr unlink write };
allow pulpcore_t httpd_sys_rw_content_t:lnk_file { append create getattr ioctl link lock read rename setattr unlink write };
Expected results:
There is no global context set for "/var/lib/pulp(/.*)?" itself.
If we expect any other custom-hosted content inside /var/lib/pulp should have same context as "/var/lib/pulp/(media|artifact)(/.*)? " i.e.
/var/lib/pulp/(media|artifact)(/.*)? all files system_u:object_r:pulpcore_var_lib_t:s0
Then add a rule for the same.
Or else ensure that following is created on any new installations of Satellite 6.11\12\13 as well i.e.
/var/lib/pulp(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
Additional info:
I also tried the chapter "Creating a Remote File Type Repository" where we are instructed to expose the context over HTTP by placing the files inside "/var/www/html/pub/".
For any files created inside /var/www/html/pub/, the context would be "httpd_sys_content_t"
But as we saw above pulpcore_t cannot access httpd_sys_content_t but it can httpd_sys_rw_content_t
So i assumed when i will sync the repo, It will give me similar denials but It does not.
Perhaps that is because we are accessing the file over HTTP and hence the first process that accesses the file would be the webserver i.e. foreman_rails_t and if that is true then it is allowed to access\read\view\ioctl on both httpd_sys_content_t and httpd_sys_content_t
Anyways, this is just a speculation but perhaps the reason behind no denials could be something different.
- is blocked by
-
-
- Closed
-
- external trackers
