Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-39076

SELinux denials comm="pulpcore-worker" path="/etc"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 6.19.0
    • None
    • Installation
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Pulpcore 3.85 upgrade introduced SELinux denials in the nightly pipeline:

       

      [2025-10-06T23:44:36.458Z] not ok 1 centos9-stream install: ensure no SELinux denials
[2025-10-06T23:44:36.458Z] # (in test file fb-verify-selinux.bats, line 12)
[2025-10-06T23:44:36.458Z] #   `[ "${status}" -eq 1 ]' failed
[2025-10-06T23:44:36.458Z] # $ [fb-verify-selinux.bats, line 9]
[2025-10-06T23:44:36.458Z] # $ tIsRedHatCompatible
[2025-10-06T23:44:36.458Z] # $$ [os_helper.bash, line 4]
[2025-10-06T23:44:36.458Z] # $$ [[ -f /etc/redhat-release ]]
[2025-10-06T23:44:36.458Z] # $ [fb-verify-selinux.bats, line 10]
[2025-10-06T23:44:36.458Z] # $ run ausearch --message AVC
[2025-10-06T23:44:36.458Z] # $ echo "$output"
[2025-10-06T23:44:36.458Z] # ----
[2025-10-06T23:44:36.458Z] # time->Mon Oct  6 22:58:55 2025
[2025-10-06T23:44:36.458Z] # type=PROCTITLE msg=audit(1759791535.686:4684): proctitle=2F7573722F62696E2F707974686F6E332E3132002D7350002F7573722F62696E2F70756C70636F72652D776F726B6572
[2025-10-06T23:44:36.458Z] # type=SYSCALL msg=audit(1759791535.686:4684): arch=c000003e syscall=254 success=yes exit=1 a0=11 a1=7f75deb416ae a2=1000182 a3=8 items=0 ppid=39999 pid=48246 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/bin/python3.12" subj=system_u:system_r:pulpcore_t:s0 key=(null)
[2025-10-06T23:44:36.458Z] # type=AVC msg=audit(1759791535.686:4684): avc:  denied  { watch } for  pid=48246 comm="pulpcore-worker" path="/etc" dev="vda1" ino=524290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
[2025-10-06T23:44:36.458Z] # ----
[2025-10-06T23:44:36.458Z] # time->Mon Oct  6 23:02:10 2025
[2025-10-06T23:44:36.458Z] # type=PROCTITLE msg=audit(1759791730.764:4704): proctitle=2F7573722F62696E2F707974686F6E332E3132002D7350002F7573722F62696E2F70756C70636F72652D776F726B6572
[2025-10-06T23:44:36.458Z] # type=SYSCALL msg=audit(1759791730.764:4704): arch=c000003e syscall=254 success=yes exit=1 a0=11 a1=7f75deb416ae a2=1000182 a3=8 items=0 ppid=39999 pid=49968 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/bin/python3.12" subj=system_u:system_r:pulpcore_t:s0 key=(null)
[2025-10-06T23:44:36.458Z] # type=AVC msg=audit(1759791730.764:4704): avc:  denied  { watch } for  pid=49968 comm="pulpcore-worker" path="/etc" dev="vda1" ino=524290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
[2025-10-06T23:44:36.458Z] # ----
[2025-10-06T23:44:36.458Z] # time->Mon Oct  6 23:18:32 2025
[2025-10-06T23:44:36.458Z] # type=PROCTITLE msg=audit(1759792712.468:5864): proctitle=2F7573722F62696E2F707974686F6E332E3132002D7350002F7573722F62696E2F70756C70636F72652D776F726B6572
[2025-10-06T23:44:36.458Z] # type=SYSCALL msg=audit(1759792712.468:5864): arch=c000003e syscall=254 success=yes exit=1 a0=11 a1=7f71d7f416ae a2=1000182 a3=8 items=0 ppid=64414 pid=64956 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm="pulpcore-worker" exe="/usr/bin/python3.12" subj=system_u:system_r:pulpcore_t:s0 key=(null)
[2025-10-06T23:44:36.458Z] # type=AVC msg=audit(1759792712.468:5864): avc:  denied  { watch } for  pid=64956 comm="pulpcore-worker" path="/etc" dev="vda1" ino=524290 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
[2025-10-06T23:44:36.458Z] # $ [ "${status}" -eq 1 ]
[2025-10-06T23:44:36.458Z] 
[2025-10-06T23:44:36.458Z] Processing '/var/lib/jenkins/jobs/katello-nightly-rpm-pipeline/builds/2560/tap-master-files/artifacts/foreman-pipeline-katello-rpm-nightly/debug/n27-38-30.pool.ci.centos.org/tmp/debug-katello-nightly-centos9-stream-upgrade/pipe-up-katello-nightly-centos9-stream/root/bats_results_proxy_n-1_upgrade/fb-destroy-organization.bats.tap'
[2025-10-06T23:44:36.458Z] Parsing TAP test result [/var/lib/jenkins/jobs/katello-nightly-rpm-pipeline/builds/2560/tap-master-files/artifacts/foreman-pipeline-katello-rpm-nightly/debug/n27-38-30.pool.ci.centos.org/tmp/debug-katello-nightly-centos9-stream-upgrade/pipe-up-katello-nightly-centos9-stream/root/bats_results_proxy_n-1_upgrade/fb-destroy-organization.bats.tap].

       

              egolov@redhat.com Evgeni Golov
              iballou@redhat.com Ian Ballou
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: