Katello/Pulpcore SELinux issues

Ohai,

while looking at katello-nightly-rpm-pipeline 1033 failed - #4 by evgeni I noticed that there are a few SELinux denials in the logs:

type=AVC msg=audit(1626392980.545:2750): avc:  denied  { create } for  pid=31039 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1626392980.545:2751): avc:  denied  { connect } for  pid=31039 comm="gunicorn" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:pulpcore_server_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1626392980.545:2751): avc:  denied  { sendto } for  pid=31039 comm="gunicorn" path="/run/systemd/notify" scontext=system_u:system_r:pulpcore_server_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

and

type=AVC msg=audit(1626394111.747:3480): avc:  denied  { write } for  pid=8039 comm="pulpcore-worker" name="exports" dev="vda1" ino=6029750 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626394111.747:3480): avc:  denied  { add_name } for  pid=8039 comm="pulpcore-worker" name="Test_Organization" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626394111.747:3480): avc:  denied  { create } for  pid=8039 comm="pulpcore-worker" name="Test_Organization" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1626394111.748:3481): avc:  denied  { create } for  pid=8039 comm="pulpcore-worker" name="export-76a2de76-edaa-45dc-8fba-ccc2da4771e2-20210716_0008.tar.gz" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1626394111.748:3481): avc:  denied  { write open } for  pid=8039 comm="pulpcore-worker" path="/var/lib/pulp/exports/Test_Organization/Test_CV/1.0/2021-07-16T00-08-31-00-00/export-76a2de76-edaa-45dc-8fba-ccc2da4771e2-20210716_0008.tar.gz" dev="vda1" ino=6411379 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1626394111.748:3482): avc:  denied  { getattr } for  pid=8039 comm="pulpcore-worker" path="/var/lib/pulp/exports/Test_Organization/Test_CV/1.0/2021-07-16T00-08-31-00-00/export-76a2de76-edaa-45dc-8fba-ccc2da4771e2-20210716_0008.tar.gz" dev="vda1" ino=6411379 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1626394111.748:3483): avc:  denied  { ioctl } for  pid=8039 comm="pulpcore-worker" path="/var/lib/pulp/exports/Test_Organization/Test_CV/1.0/2021-07-16T00-08-31-00-00/export-76a2de76-edaa-45dc-8fba-ccc2da4771e2-20210716_0008.tar.gz" dev="vda1" ino=6411379 ioctlcmd=5401 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1626394111.785:3484): avc:  denied  { read } for  pid=8039 comm="pulpcore-worker" name="export-76a2de76-edaa-45dc-8fba-ccc2da4771e2-20210716_0008.tar.gz" dev="vda1" ino=6411379 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file permissive=1

The gunicorn ones are older, the pulpcore-worker ones are new since we added export tests to forklift.

I think the later ones would be fixed if we label /var/lib/pulp/exports properly (in katello-selinux, as that’s not a Pulp-default path, I think?) Or shall we start labeling /var/lib/pulp/(.*) in pulpcore-selinux now that we don’t need/have pulp-selinux anymore?

As it is the pulpcore_worker and the context pulpcore_t I would say labeling of /var/lib/pulp(/.*)? should go into pulpcore-selinux.

If a separate context for /var/lib/pulp/exports(/.*)? is needed to give access to Katello, I would say labelling should go into pulpcore-selinux and it should provide an interface definition to allow a domain access to it. And then in katello-selinux we would have a dependency on pulpcore-selinux so the interface can be used to generate the rules.

A bit of history, to keep context:

As we had to make Pulp2 and Pulp3 co-installable for the 2to3 migration, and the SELinux rules for Pulp2 already contained a broad /var/lib/pulp(/.*)? rule, we made the Pulp3 SELinux policy explicitly call out all the paths that are needed by a default Pulp3 installation (so specific subfolders of /var/lib/pulp: pulpcore-selinux/pulpcore.fc at 064442e829310e6bab95aa639343a8cfaf90f219 · pulp/pulpcore-selinux · GitHub).

Now that Pulp2 and Pulp3 don’t need to be co-installable anymore, we could be less strict and add that rule (and make the RPM conflict with pulp-selinux, just to be sure). I think this is the clenest way forward.

Pulp3 by default does not configure any export path, so if we wanted to add a rule for /var/lib/pulp/exports, it really would need to go into katello-selinux with all the added overhead that you describe.

Additionally, this would add another nail to the coffin where we actually want to be able to deploy the Pulp server on a different system than Foreman/Katello, which @ekohl won’t appreciate.

This would be my preference. However, I’m not sure if we actually clean up pulp-selinux. We’d at least need a Conflicts: on the RPM and something that removes the old one.

So to fixing it in pulpcore-selinux. However, I’m not sure we can safely cherry pick it to 4.1 (and certainly not 4.0). It may break in upgrades. So for stable branches perhaps it needs to go in katello-selinux.

I wonder how many users actually run the Pulp 2 cleanup in 4.0.

Not representative for sure, but I cleaned up at every customer and told colleagues to do so too. Most would have done so on their own to reduce disk usage.

I went ahead and opened a PR against pulpcore-selinux:
https://github.com/pulp/pulpcore-selinux/pull/36