Problem: SELinux denials are stopping `hammer repository export’ from completing successfully Specifically there seems to be an issue with foreman_rails_t and celery_t
Expected outcome: SELinux allows export
Foreman and Proxy versions: 2.1.0
Foreman and Proxy plugin versions:
foreman-tasks 2.0.2
katello 3.16.0.rc4
foreman-selinux.noarch 2.1.0-1.el7
Distribution and version: RHEL 7.8
Other relevant data:
Originally I ran:
mkdir "/repos/$(date +%Y-%m-%d)_228_sync"
chown foreman:foreman "/repos/$(date +%Y-%m-%d)_228_sync"
chmod ug=rwX "/repos/$(date +%Y-%m-%d)_228_sync"
chmod o=rX "/repos/$(date +%Y-%m-%d)_228_sync"
hammer settings set --name pulp_export_destination --value "/repos/$(date +%Y-%m-%d)_228_sync"
hammer repository export --iso-mb-size 22000 --id 228 --export-to-iso 1
Which led me to my first SELinux denial:
sealert -l fc296ef6-228b-4eb9-a76a-8b97134cd49f
Output:
SELinux is preventing diagnostic_con* from write access on the directory 2020-07-23_230_sync.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow diagnostic_con* to have write access on the 2020-07-23_230_sync directory
Then you need to change the label on 2020-07-23_230_sync
Do
# semanage fcontext -a -t FILE_TYPE '2020-07-23_230_sync'
where FILE_TYPE is one of the following: device_t, foreman_lib_t, foreman_var_run_t, init_var_run_t, passenger_tmp_t, syslogd_var_run_t, system_cronjob_tmp_t, tmp_t.
Then execute:
restorecon -v '2020-07-23_230_sync'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that diagnostic_con* should be allowed write access on the 2020-07-23_230_sync directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp
Additional Information:
Source Context system_u:system_r:foreman_rails_t:s0
Target Context unconfined_u:object_r:default_t:s0
Target Objects 2020-07-23_230_sync [ dir ]
Source diagnostic_con*
Source Path diagnostic_con*
Port <Unknown>
Host ***REDACTED***
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ***REDACTED***
Platform Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count 31
First Seen 2020-07-22 12:45:59 MDT
Last Seen 2020-07-23 09:22:15 MDT
Local ID fc296ef6-228b-4eb9-a76a-8b97134cd49f
Raw Audit Messages
type=AVC msg=audit(1595517735.766:29647): avc: denied { write } for pid=3756 comm="diagnostic_con*" name="2020-07-23_230_sync" dev="dm-0" ino=1342177960 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=1
Hash: diagnostic_con*,foreman_rails_t,default_t,dir,write
So I corrected that based on the sealert recommendation:
semanage fcontext -a -t foreman_var_run_t "/repos/$(date +%Y-%m-%d)_repo228_sync"
restorecon -v "/repos/$(date +%Y-%m-%d)_repo228_sync"
Running again it got a little further but kicked up this:
sealert -l 72c6dc54-ac77-450b-9eec-f4674e9cdcd6
Output:
SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /var/lib/pulp.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that ruby should be allowed search access on the pulp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp
Additional Information:
Source Context system_u:system_r:foreman_rails_t:s0
Target Context system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects /var/lib/pulp [ dir ]
Source diagnostic_con*
Source Path /opt/rh/rh-ruby25/root/usr/bin/ruby
Port <Unknown>
Host ***REDACTED***
Source RPM Packages rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages pulp-server-2.21.2-1.el7.noarch
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ***REDACTED***
Platform Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count 3
First Seen 2020-07-22 13:11:21 MDT
Last Seen 2020-07-22 15:40:38 MDT
Local ID 72c6dc54-ac77-450b-9eec-f4674e9cdcd6
Raw Audit Messages
type=AVC msg=audit(1595454038.897:465): avc: denied { search } for pid=1734 comm="diagnostic_con*" name="pulp" dev="dm-4" ino=52028327 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1595454038.897:465): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fb8ec43dad0 a1=7fb8e76a6800 a2=7fb8e76a6800 a3=1 items=1 ppid=1 pid=1734 auid=4294967295 uid=985 gid=978 euid=985 suid=985 fsuid=985 egid=978 sgid=978 fsgid=978 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:foreman_rails_t:s0 key=(null)
type=CWD msg=audit(1595454038.897:465): cwd=/usr/share/foreman
Hash: diagnostic_con*,foreman_rails_t,httpd_sys_rw_content_t,dir,search
I noticed they both used a source of foreman_rails_t so I used the same solution as before:
semanage fcontext -a -t foreman_var_run_t "/var/lib/pulp(/.*)?"
restorecon -R /var/lib/pulp
This however causes the next issue with celery_t expecting this folder to have a context of httpd_sys_rw_content_t:
sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37
Output:
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python2.7 should be allowed getattr access on the 55acdc96-0af0-4236-a805-c5c36bd3694b file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp
Additional Information:
Source Context system_u:system_r:celery_t:s0
Target Context system_u:object_r:foreman_var_run_t:s0
Target Objects /var/lib/pulp/content/units/yum_repo_metadata_file
/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40
601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd36
94b [ file ]
Source celery
Source Path /usr/bin/python2.7
Port <Unknown>
Host ***REDACTED***
Source RPM Packages python-2.7.5-88.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ***REDACTED***
Platform Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count 2032
First Seen 2020-07-22 14:54:48 MDT
Last Seen 2020-07-23 09:34:30 MDT
Local ID bda67965-d6ee-427c-915f-1c46a3cd9c37
Raw Audit Messages
type=AVC msg=audit(1595518470.773:29810): avc: denied { getattr } for pid=2962 comm="celery" path="/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b" dev="dm-4" ino=1107519792 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1595518470.773:29810): arch=x86_64 syscall=stat success=no exit=EACCES a0=35e30c0 a1=7ffd7f4edf40 a2=7ffd7f4edf40 a3=b items=1 ppid=1823 pid=2962 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=celery exe=/usr/bin/python2.7 subj=system_u:system_r:celery_t:s0 key=(null)
type=CWD msg=audit(1595518470.773:29810): cwd=/run/pulp
type=PATH msg=audit(1595518470.773:29810): item=0 name=/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b inode=1107519792 dev=fd:04 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Hash: celery,celery_t,foreman_var_run_t,file,getattr
I have since undone the changes I made and just decided to just turn off SELinux at the beginning of the script and turn it back on at the end.
Of note I don’t think foreman_rails_t has permission for httpd_sys_rw_content_t:
[root@***REDACTED*** repos]# sesearch -s foreman_rails_t --all | grep 'allow foreman_rails_t ht'
allow foreman_rails_t http_port_t : tcp_socket { name_bind name_connect } ;
allow foreman_rails_t http_cache_port_t : tcp_socket name_connect ;