-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
6.15.0
-
False
-
Moderate
-
None
-
None
-
None
-
To Do
-
Yes
Description of problem:
Getting the following Selinux AVC denied error when using NFS for /var/lib/pulp.
Additional Information: Source Context system_u:system_r:pulpcore_server_t:s0 Target Context system_u:object_r:pulpcore_var_lib_t:s0 Target Objects /var/lib/pulp [ filesystem ] Source pulpcore-api Source Path /usr/bin/python3.11 Port <Unknown> Host my-satellite Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-139.el8_10.noarch Local Policy RPM Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing <================== Raw Audit Messages type=AVC msg=audit(xxxxxxxxxx): avc: denied { getattr } for pid=xxxxx comm="pulpcore-api" name="/" dev="xxx" ino=xxxxxxxxx scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:object_r:pulpcore_var_lib_t:s0 tclass=filesystem permissive=1 <=========
Although an AVC denied has been reported, but the audit log is showing "permissive=1" in SELinux Enforcing mode.
Nothing seems to be really blocked and causing failure to any Pulp functionalities.
It is very similar to some SElinux bugs that we raised earlier, such as https://issues.redhat.com/browse/SAT-23121
How reproducible:
Easy
Is this issue a regression from an earlier version:
Not exactly sure, I only observe this issue in Satellite 6.15, but not on Satellite 6.14.
Steps to Reproduce:
1. Follow the Satellite documentation to setup NFS for /var/lib/pulp
2. Restart pulp services using systemctl command
systemctl restart pulpcore*
Actual behavior:
Audit log shows some AVC denied errors above.
Expected behavior:
No AVC denied error.
Business Impact / Additional info:
No seen so far as I explained above.
