Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-23019

pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn ) should have a read-only level of access on httpd_sys_content_t .

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 6.13.1
    • Pulp
    • Moderate
    • No

      Description of problem:

      pulpcore_t ( pulpcore-worker ) and pulpcore_server_t ( gunicorn ) should have a read-only level of access on httpd_sys_content_t .

      Version-Release number of selected component (if applicable):

      Sat 6.10\6.11\6.12\6.13

      How reproducible:
      100%

      Steps to Reproduce:

      1. Install any of the affected version of satellite ( end-user is using 6.13 ) and selinux should be in enforcing mode

      2. Follow these steps on the satellite:

      1. mkdir -p /var/lib/soe/software/custom/9/x86_64/Packages
      2. cd /var/lib/soe/software/custom/9/x86_64/Packages
      3. mkdir a j p
      4. cd a; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/a/ansible-7.2.0-1.el9.noarch.rpm; cd ..
      5. cd j; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/j/jsonnet-0.20.0-1.el9.x86_64.rpm; cd ..
      6. cd p; wget https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-beautifulsoup4-4.10.0-6.el9.noarch.rpm; cd ..
      7. cd /var/lib/soe/software/custom/9/x86_64/
      8. createrepo -v .
      1. semanage fcontext -a -t httpd_sys_content_t "/var/lib/soe/software(/.*)?"
      2. restorecon -RFv /var/lib/soe/software/
      1. satellite-installer --foreman-proxy-content-pulpcore-additional-import-paths /var/lib/soe/software

      3. Create a custom product and repo in satellite with baseURL set to file:///var/lib/soe/software/custom/9/x86_64/ , Download policy Immediate and Mirroring policy Complete_Mirroring.

      4. Sync the repo and notice both sync results and as well /var/log/audit/audit.log messages.

      Actual results:

      While selinux remains in enforcing mode:

      • Sync would be successful
      • auditd will log the following denials in the audit.log but will also append permissive=1 at the end of them for some reason [ i.e. making it not an actual denial of operations at all ].

      type=AVC msg=audit(1689144658.401:1292): avc: denied

      { getattr }

      for pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1689144658.402:1293): avc: denied

      { read }

      for pid=15352 comm="pulpcore-worker" name="repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1689144658.402:1293): avc: denied

      { open }

      for pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1
      type=AVC msg=audit(1689144658.402:1294): avc: denied

      { ioctl }

      for pid=15352 comm="pulpcore-worker" path="/var/lib/soe/software/custom/9/x86_64/repodata/repomd.xml" dev="dm-0" ino=297905378 ioctlcmd=0x5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=1

      ( This is same whether i test on RHEL 7 or RHEL 8 based satellite ).

      • Reason:

      pulpcore_t is not having the required access on httpd_sys_content_t

      1. sesearch -A -s pulpcore_t -p ioctl | grep http
        allow pulpcore_t httpd_sys_rw_content_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write }

        ;
        allow pulpcore_t httpd_sys_rw_content_t:file

        { append create getattr ioctl link lock open read rename setattr unlink write }

        ;
        allow pulpcore_t httpd_sys_rw_content_t:lnk_file

        { append create getattr ioctl link lock read rename setattr unlink write }

        ;

      Expected results:

      • No such denials
      • pulpcore_t ( and perhaps pulpcore_server_t ) should have the required read-only level access to httpd_sys_content_t context.

      Additional info:

      Changing the context of "/var/lib/soe/software(/.*)?" to either httpd_sys_rw_content_t or pulpcore_var_lib_t ( which is the context of /var/lib/pulp/media ), can solve the issue with denial as well. But the end-user claims, There is absolutely no reason for httpd_sys_content_t to show denial or to pulpcore_t to not have access on httpd_sys_content_t at all.

      By definition:

      httpd_sys_content_t

      Use this type for static web content, such as .html files used by a static website. Files labeled with this type are accessible (read only) to httpd and scripts executed by httpd. By default, files and directories labeled with this type cannot be written to or modified by httpd or other processes. Note that by default, files created in or copied into the /var/www/html/ directory are labeled with the httpd_sys_content_t type.

      httpd_sys_rw_content_t

      Files labeled with this type can be written to by scripts labeled with the httpd_sys_script_exec_t type, but cannot be modified by scripts labeled with any other type. You must use the httpd_sys_rw_content_t type to label files that will be read from and written to by scripts labeled with the httpd_sys_script_exec_t type.

            jira-bugzilla-migration RH Bugzilla Integration
            rhn-support-saydas Sayan Das
            RH Bugzilla Integration RH Bugzilla Integration
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: