SELinux issues while running `hammer repository export'

portarius · July 23, 2020, 3:54pm

Problem: SELinux denials are stopping `hammer repository export’ from completing successfully Specifically there seems to be an issue with foreman_rails_t and celery_t

Expected outcome: SELinux allows export

Foreman and Proxy versions: 2.1.0

Foreman and Proxy plugin versions:
foreman-tasks 2.0.2
katello 3.16.0.rc4
foreman-selinux.noarch 2.1.0-1.el7

Distribution and version: RHEL 7.8

Other relevant data:

Originally I ran:

mkdir "/repos/$(date +%Y-%m-%d)_228_sync"
chown foreman:foreman "/repos/$(date +%Y-%m-%d)_228_sync"
chmod ug=rwX "/repos/$(date +%Y-%m-%d)_228_sync"
chmod o=rX "/repos/$(date +%Y-%m-%d)_228_sync"
hammer settings set --name pulp_export_destination --value "/repos/$(date +%Y-%m-%d)_228_sync"
hammer repository export --iso-mb-size 22000 --id 228 --export-to-iso 1

Which led me to my first SELinux denial:

sealert -l fc296ef6-228b-4eb9-a76a-8b97134cd49f

Output:

SELinux is preventing diagnostic_con* from write access on the directory 2020-07-23_230_sync.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow diagnostic_con* to have write access on the 2020-07-23_230_sync directory
Then you need to change the label on 2020-07-23_230_sync
Do
# semanage fcontext -a -t FILE_TYPE '2020-07-23_230_sync'
where FILE_TYPE is one of the following: device_t, foreman_lib_t, foreman_var_run_t, init_var_run_t, passenger_tmp_t, syslogd_var_run_t, system_cronjob_tmp_t, tmp_t.
Then execute:
restorecon -v '2020-07-23_230_sync'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that diagnostic_con* should be allowed write access on the 2020-07-23_230_sync directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp


Additional Information:
Source Context                system_u:system_r:foreman_rails_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                2020-07-23_230_sync [ dir ]
Source                        diagnostic_con*
Source Path                   diagnostic_con*
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   31
First Seen                    2020-07-22 12:45:59 MDT
Last Seen                     2020-07-23 09:22:15 MDT
Local ID                      fc296ef6-228b-4eb9-a76a-8b97134cd49f

Raw Audit Messages
type=AVC msg=audit(1595517735.766:29647): avc:  denied  { write } for  pid=3756 comm="diagnostic_con*" name="2020-07-23_230_sync" dev="dm-0" ino=1342177960 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=1


Hash: diagnostic_con*,foreman_rails_t,default_t,dir,write

So I corrected that based on the sealert recommendation:

semanage fcontext -a -t foreman_var_run_t "/repos/$(date +%Y-%m-%d)_repo228_sync"
restorecon -v "/repos/$(date +%Y-%m-%d)_repo228_sync"

Running again it got a little further but kicked up this:

sealert -l 72c6dc54-ac77-450b-9eec-f4674e9cdcd6

Output:

    SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /var/lib/pulp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ruby should be allowed search access on the pulp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp


Additional Information:
Source Context                system_u:system_r:foreman_rails_t:s0
Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                /var/lib/pulp [ dir ]
Source                        diagnostic_con*
Source Path                   /opt/rh/rh-ruby25/root/usr/bin/ruby
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages           rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages           pulp-server-2.21.2-1.el7.noarch
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   3
First Seen                    2020-07-22 13:11:21 MDT
Last Seen                     2020-07-22 15:40:38 MDT
Local ID                      72c6dc54-ac77-450b-9eec-f4674e9cdcd6

Raw Audit Messages
type=AVC msg=audit(1595454038.897:465): avc:  denied  { search } for  pid=1734 comm="diagnostic_con*" name="pulp" dev="dm-4" ino=52028327 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1595454038.897:465): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fb8ec43dad0 a1=7fb8e76a6800 a2=7fb8e76a6800 a3=1 items=1 ppid=1 pid=1734 auid=4294967295 uid=985 gid=978 euid=985 suid=985 fsuid=985 egid=978 sgid=978 fsgid=978 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:foreman_rails_t:s0 key=(null)

type=CWD msg=audit(1595454038.897:465): cwd=/usr/share/foreman

Hash: diagnostic_con*,foreman_rails_t,httpd_sys_rw_content_t,dir,search

I noticed they both used a source of foreman_rails_t so I used the same solution as before:

semanage fcontext -a -t foreman_var_run_t "/var/lib/pulp(/.*)?"
restorecon -R /var/lib/pulp

This however causes the next issue with celery_t expecting this folder to have a context of httpd_sys_rw_content_t:

sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Output:

SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed getattr access on the 55acdc96-0af0-4236-a805-c5c36bd3694b file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40
                              601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd36
                              94b [ file ]
Source                        celery
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages           python-2.7.5-88.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   2032
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-23 09:34:30 MDT
Local ID                      bda67965-d6ee-427c-915f-1c46a3cd9c37

Raw Audit Messages
type=AVC msg=audit(1595518470.773:29810): avc:  denied  { getattr } for  pid=2962 comm="celery" path="/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b" dev="dm-4" ino=1107519792 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1595518470.773:29810): arch=x86_64 syscall=stat success=no exit=EACCES a0=35e30c0 a1=7ffd7f4edf40 a2=7ffd7f4edf40 a3=b items=1 ppid=1823 pid=2962 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=celery exe=/usr/bin/python2.7 subj=system_u:system_r:celery_t:s0 key=(null)

type=CWD msg=audit(1595518470.773:29810): cwd=/run/pulp

type=PATH msg=audit(1595518470.773:29810): item=0 name=/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b inode=1107519792 dev=fd:04 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: celery,celery_t,foreman_var_run_t,file,getattr

I have since undone the changes I made and just decided to just turn off SELinux at the beginning of the script and turn it back on at the end.

Of note I don’t think foreman_rails_t has permission for httpd_sys_rw_content_t:

[root@***REDACTED*** repos]# sesearch -s foreman_rails_t --all | grep 'allow foreman_rails_t ht'
allow foreman_rails_t http_port_t : tcp_socket { name_bind name_connect } ;
allow foreman_rails_t http_cache_port_t : tcp_socket name_connect ;

Jonathon_Turel · July 24, 2020, 1:03pm

Thank you for reporting this. We failed to update the katello-selinux package in this RC to the correct version. Once we get it there I’ll update this thread and the release announcement. That should resolve your issues

portarius · July 24, 2020, 1:11pm

Okay, sounds great!

Jonathon_Turel · July 29, 2020, 9:13pm

katello-selinux-3.3.1 is now available in the 3.16 repos (technically it’s provided by the foreman repo…)

yum upgrade katello-selinux
foreman-maintain service restart

Let us know if that fixes the problem (or not)!

portarius · July 30, 2020, 5:40pm

@Jonathon_Turel it doesn’t look like it worked for me. It seems like it’s an issue with celery_t and foreman_var_run_t. Please see relevant information below and let me know if you need any other logs or anything.

/var/log/messages output:

Jul 30 11:20:14 **REDACTED** setroubleshoot: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Jul 30 11:20:14 **REDACTED** python: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed getattr access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

Jul 30 11:20:17 **REDACTED** setroubleshoot: failed to retrieve rpm info for /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid

Jul 30 11:20:17 **REDACTED** setroubleshoot: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Jul 30 11:20:17 **REDACTED** python: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed getattr access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37:

[root@**REDACTED** repos]# sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed getattr access on the productid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f9
                              62b8615f4d8e64a0/productid [ file ]
Source                        celery
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          **REDACTED**
Source RPM Packages           python-2.7.5-88.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **REDACTED**
Platform                      Linux **REDACTED** 3.10.0-1127.18.2.el7.x86_64 #1 SMP
                              Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64
Alert Count                   3919
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-30 11:20:13 MDT
Local ID                      bda67965-d6ee-427c-915f-1c46a3cd9c37

Raw Audit Messages
type=AVC msg=audit(1596129613.268:517): avc:  denied  { getattr } for  pid=3010 comm="celery" path="/var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid" dev="dm-4" ino=187263120 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1596129613.268:517): arch=x86_64 syscall=stat success=no exit=EACCES a0=309fda0 a1=7fffcf89ee80 a2=7fffcf89ee80 a3=9 items=1 ppid=1877 pid=3010 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=celery exe=/usr/bin/python2.7 subj=system_u:system_r:celery_t:s0 key=(null)

type=CWD msg=audit(1596129613.268:517): cwd=/run/pulp

type=PATH msg=audit(1596129613.268:517): item=0 name=/var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid inode=187263120 dev=fd:04 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: celery,celery_t,foreman_var_run_t,file,getattr

/var/log/messages output:

Jul 30 11:20:23 **REDACTED** setroubleshoot: failed to retrieve rpm info for /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid

Jul 30 11:20:23 **REDACTED** setroubleshoot: SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64

Jul 30 11:20:23 **REDACTED** python: SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that celery should be allowed read access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64:

[root@**REDACTED** repos]# sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64
SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that celery should be allowed read access on the productid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f9
                              62b8615f4d8e64a0/productid [ file ]
Source                        celery
Source Path                   celery
Port                          <Unknown>
Host                          **REDACTED**
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **REDACTED**
Platform                      Linux **REDACTED** 3.10.0-1127.18.2.el7.x86_64 #1 SMP
                              Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64
Alert Count                   113
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-30 11:20:13 MDT
Local ID                      81093daa-7c1a-4802-8be0-e42521a56e64

Raw Audit Messages
type=AVC msg=audit(1596129613.268:518): avc:  denied  { read } for  pid=3010 comm="celery" name="productid" dev="dm-4" ino=187263120 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


Hash: celery,celery_t,foreman_var_run_t,file,read

sesearch -s celery_t --all | grep ‘allow celery_t’:

[root@**REDACTED** repos]# sesearch -s celery_t --all | grep 'allow celery_t'
allow celery_t celery_t : sem { create destroy getattr setattr read write associate unix_read unix_write } ;
allow celery_t default_context_t : dir { ioctl read getattr lock search open } ;
allow celery_t rpm_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t base_ro_file_type : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock relabelto append unlink link rename open } ;
allow celery_t locale_t : lnk_file { read getattr } ;
allow celery_t pulp_var_run_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t cgroup_t : filesystem getattr ;
allow celery_t security_t : dir { ioctl read getattr lock search open } ;
allow celery_t celery_t : peer recv ;
allow celery_t debugfs_t : filesystem getattr ;
allow celery_t fs_t : filesystem getattr ;
allow celery_t tmpfs_t : dir { write getattr add_name remove_name search open } ;
allow celery_t celery_t : capability net_bind_service ;
allow celery_t node_t : tcp_socket node_bind ;
allow celery_t pulp_cert_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : association sendto ;
allow celery_t bin_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t pulp_var_cache_t : file { ioctl read write create getattr setattr lock relabelfrom append map unlink link rename open } ;
allow celery_t var_t : dir { getattr search open } ;
allow celery_t celery_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
allow celery_t celery_t : dir { ioctl read getattr lock search open } ;
allow celery_t bin_t : dir { ioctl read getattr lock search open } ;
allow celery_t locale_t : file { ioctl read getattr lock map open } ;
allow celery_t pulp_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t tmp_t : lnk_file { read getattr } ;
allow celery_t pulp_var_cache_t : dir { ioctl read write create getattr setattr lock relabelfrom unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t port_type : tcp_socket { name_bind name_connect } ;
allow celery_t pulp_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t celery_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getcap setrlimit execmem } ;
allow celery_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
allow celery_t pulp_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t sysfs_t : dir { read getattr search open } ;
allow celery_t security_t : security check_context ;
allow celery_t gpg_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t proc_t : dir { getattr search open } ;
allow celery_t ldconfig_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t httpd_sys_rw_content_t : fifo_file { getattr unlink } ;
allow celery_t security_t : lnk_file { read getattr } ;
allow celery_t httpd_sys_content_t : lnk_file { read getattr } ;
allow celery_t security_t : file { ioctl read write getattr lock append map open } ;
allow celery_t pstore_t : filesystem getattr ;
allow celery_t tmpfs_t : file { ioctl read write create getattr map unlink link execute execute_no_trans open } ;
allow celery_t etc_t : dir { getattr search open } ;
allow celery_t pulp_var_cache_t : lnk_file { read create getattr relabelfrom unlink } ;
allow celery_t sysfs_t : filesystem getattr ;
allow celery_t cert_t : file { ioctl read getattr lock open } ;
allow celery_t celery_exec_t : file { ioctl read getattr lock map execute execute_no_trans entrypoint open } ;
allow celery_t urandom_device_t : chr_file { ioctl read getattr lock open } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t tmpfs_t : filesystem getattr ;
allow celery_t proc_net_t : file { ioctl read getattr lock open } ;
allow celery_t httpd_sys_rw_content_t : sock_file { getattr unlink } ;
allow celery_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
allow celery_t celery_t : fifo_file { ioctl read write getattr lock append open } ;
allow celery_t httpd_sys_rw_content_t : lnk_file { ioctl read write create getattr setattr lock relabelto append unlink link rename } ;
allow celery_t device_t : dir { getattr search open } ;
allow celery_t hugetlbfs_t : filesystem getattr ;
allow celery_t default_context_t : file { ioctl read getattr lock open } ;
allow celery_t net_conf_t : file { ioctl read getattr lock open } ;
allow celery_t shell_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t proc_net_t : dir { ioctl read getattr lock search open } ;
allow celery_t passwd_file_t : file { ioctl read getattr lock open } ;
allow celery_t locale_t : dir { ioctl read getattr lock search open } ;
allow celery_t etc_t : lnk_file { read getattr } ;
allow celery_t celery_t : file { ioctl read write getattr lock append open } ;
allow celery_t bin_t : lnk_file { read getattr } ;
allow celery_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t celery_t : key { view read write search link setattr create } ;
allow celery_t cert_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t cert_t : lnk_file { read getattr } ;
allow celery_t usr_t : dir { getattr search open } ;
allow celery_t pulp_cert_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t httpd_sys_rw_content_t : dir { ioctl read write create getattr setattr lock relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t device_t : filesystem getattr ;
allow celery_t selinux_config_t : dir { getattr search open } ;
allow celery_t usr_t : file map ;
allow celery_t devpts_t : filesystem getattr ;
allow celery_t celery_t : lnk_file { ioctl read getattr lock } ;
allow celery_t proc_net_t : lnk_file { read getattr } ;
allow celery_t celery_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ;
allow celery_t celery_t : unix_dgram_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t puppet_etc_t : file { ioctl read getattr lock open } ;
allow celery_t puppet_etc_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t puppet_etc_t : file { write create getattr setattr open } ;
allow celery_t tmp_t : sock_file { write create unlink link } ;
allow celery_t puppet_etc_t : dir { getattr search open } ;
allow celery_t puppet_etc_t : dir { ioctl read getattr lock search open } ;
allow celery_t puppet_etc_t : dir { getattr search open } ;
allow celery_t puppet_etc_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t puppet_etc_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t puppet_etc_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t puppet_etc_t : dir { read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t var_t : dir write ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t ssh_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t etc_t : dir { getattr search open } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto } ;
allow celery_t rsync_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t celery_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t puppet_etc_t : lnk_file { read create getattr unlink } ;
allow celery_t bin_t : lnk_file { read getattr } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;

Jonathon_Turel · July 30, 2020, 8:58pm

Thanks for all of the details! I’m seeing a very different error in my own 3.16 environment. Filed an issue so we can take a look at this soon: Bug #30534: 'hammer repository export' broken in 3.16 - Katello - Foreman

Justin_Sherrill · July 30, 2020, 9:03pm

To clarify, was this an upgrade from 3.15 or a fresh install onto 3.16?

portarius · July 30, 2020, 9:23pm

@Justin_Sherrill it was an upgrade.

iballou · October 9, 2020, 7:10pm

Hi @portarius,

We’re checking up on these selinux issues again. Were you able to resolve the problem? I haven’t been able to reproduce the problem on Katello 3.16.1.

portarius · October 9, 2020, 7:19pm

@iballou, I honestly don’t know. Since troubleshooting and identifying the issue I just built in turning off and then back on selinux as a part of my scripts. I’ll look at it on Monday when I’m back in the office. Is there any particular testing methodology you’d like to see the results of or just do what I’ve been doing?

iballou · October 9, 2020, 9:14pm

I’m mostly curious what Katello version you’re on now (is it the latest 3.16.1 or still RC?), and if you still get the error when selinux is turned on.

If you’re able to confirm that you still get the error, could I see your foreman-selinux, katello-selinux, pulp-selinux, and pulpcore-selinux versions?