Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

correctly label pulpcore-(api|content) binaries #71

Merged
merged 1 commit into from
Jan 12, 2024
Merged

correctly label pulpcore-(api|content) binaries #71

merged 1 commit into from
Jan 12, 2024

Conversation

evgeni
Copy link
Member

@evgeni evgeni commented Jan 12, 2024
edited
Loading

since pulpcore 3.33 there are new binaries to start pulpcore services, but those binaries were not properly labeled with pulpcore_server_exec_t like their old counterpart gunicorn
without that label, the services run as unconfined_service_t, which results in errors like httpd not being able to connect to them

while at it, also properly label the pulpcore-worker binary in /usr/bin

@evgeni
Copy link
Member Author

evgeni commented Jan 12, 2024

The denial I am seeing is btw:

time->Wed Jan 10 08:24:36 2024
type=PROCTITLE msg=audit(1704875076.749:5217): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1704875076.749:5217): arch=c000003e syscall=42 success=no exit=-13 a0=17 a1=7f6844045130 a2=18 a3=7f680c007060 items=0 ppid=57049 pid=57050 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1704875076.749:5217): avc:  denied  { connectto } for  pid=57050 comm="httpd" path="/run/pulpcore-api.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0

note that tcontext is unconfined_service_t which is wrong :)

ekohl
ekohl approved these changes Jan 12, 2024
View reviewed changes
Copy link
Contributor

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at theforeman/puppet-pulpcore@7e12c0f#diff-36f3fbc255f9dd485363f6d80f241bfbfc87d30b7e11e285f7e620cbcb6f6425 (both templates) it previously used /usr/libexec/pulpcore/gunicorn so this is correct.

@evgeni
correctly label pulpcore-(api|content) binaries
f57c41f 
since pulpcore 3.33 there are new binaries to start pulpcore services,
but those binaries were not properly labeled with pulpcore_server_exec_t
like their old counterpart gunicorn
without that label, the services run as unconfined_service_t, which
results in errors like httpd not being able to connect to them

while at it, also properly label the pulpcore-worker binary in /usr/bin
@mikedep333 mikedep333 merged commit e4062fa into main Jan 12, 2024
6 checks passed
@mikedep333 mikedep333 deleted the label-bin branch January 12, 2024 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikedep333 mikedep333 mikedep333 approved these changes

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@evgeni @ekohl @mikedep333