Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-33154

AVC denials on /run/pulpcore-api.sock with Pulpcore 3.73

XMLWordPrintable

    • None
    • None
    • Rejected
    • None
    • Yes

      On a new Katello dev box (and likely nightly too), Pulp is unreachable:

       

      time->Fri Apr 18 15:34:55 2025
type=PROCTITLE msg=audit(1744990495.791:4470): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1744990495.791:4470): arch=c000003e syscall=42 success=no exit=-13 a0=14 a1=7f9188003580 a2=18 a3=7f91a4037bb0 items=0 ppid=39328 pid=39329 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1744990495.791:4470): avc:  denied  { connectto } for  pid=39329 comm="httpd" path="/run/pulpcore-api.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

      I think this is blocking the nightly pipeline, since the errors I've seen are related to smart proxies not being able to reach Pulp.

       

      I'm not sure if the fix would be in pulpcore-selinux or foreman-selinux, so I'm leaving the Pulp component off for now.

              egolov@redhat.com Evgeni Golov
              iballou@redhat.com Ian Ballou
              Jameer Pathan Jameer Pathan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: