search

pulp / pulpcore-selinux

A Pulp 3 SELinux policy
https://pulpproject.org
GNU General Public License v2.0
3 stars 14 forks source link

SELinux is preventing /usr/bin/python3.9 from name_connect access on the tcp_socket port 5432 #59

Closed tjmullicani closed 1 year ago

tjmullicani commented 1 year ago 
SELinux is preventing /usr/bin/python3.9 from name_connect access on the tcp_socket port 5432.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.9 should be allowed name_connect access on the port 5432 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'pulpcore-worker' --raw | audit2allow -M my-pulpcoreworker
# semodule -X 300 -i my-pulpcoreworker.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:postgresql_port_t:s0
Target Objects                port 5432 [ tcp_socket ]
Source                        pulpcore-worker
Source Path                   /usr/bin/python3.9
Port                          5432
Host                          <Unknown>
Source RPM Packages           python39-3.9.13-1.module+el8.7.0+1064+ad564229.x86
                              _64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              4.18.0-425.3.1.el8.x86_64 #1 SMP Wed Nov 9
                              20:13:27 UTC 2022 x86_64 x86_64
Alert Count                   2456
First Seen                    2022-11-22 05:13:08 UTC
Last Seen                     2022-11-22 07:05:28 UTC
Local ID                      f19a0c49-d71f-4380-9c8f-9473a1f74df8

Raw Audit Messages
type=AVC msg=audit(1669100728.279:5601): avc:  denied  { name_connect } for  pid=33765 comm="pulpcore-worker" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0

type=SYSCALL msg=audit(1669100728.279:5601): arch=x86_64 syscall=connect success=no exit=EACCES a0=9 a1=558e4d7ba7a0 a2=10 a3=7ffd95d52bb8 items=0 ppid=1 pid=33765 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm=pulpcore-worker exe=/usr/bin/python3.9 subj=system_u:system_r:init_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID=unset UID=pulp GID=pulp EUID=pulp SUID=pulp FSUID=pulp EGID=pulp SGID=pulp FSGID=pulp

Hash: pulpcore-worker,init_t,postgresql_port_t,tcp_socket,name_connect
ekohl commented 1 year ago

How are you running things? It looks liek it isn't using a properly labeled context. Note it's running as system_u:system_r:init_t:s0 but this should run with pulpcore_t or pulpcore_server_t.

Can you share how you installed pulpcore and how it's running things?

tjmullicani commented 1 year ago

This was my fault. I had manually upgraded some of the Pulp Pip packages and not restored the SELinux context. I have re-run the pulp_installer ansible playbook and resolved the issue.