Actions
Bug #24589
closed
SELinux error for downloading files
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
Yes
Description
At least on rhel related system, it's not possible to download files from the shared folders, with an SELinux error
ERROR rudder_relayd::api::shared_folder::handlers: Permission denied (os error 13)
Updated by Alexis Mousset 8 months ago
- Subject changed from SElinux error for downloading files to SELinux error for downloading files
Updated by Nicolas CHARLES 8 months ago
audit.log says
type=SYSCALL msg=audit(1711355425.344:31295): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295
uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system
_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudde
r-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711355425.344:31295): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711356024.886:31296): avc: denied { search } for pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:sy
stem_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711356024.886:31296): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03cfffe600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294
967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=
system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID
="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=CWD msg=audit(1711356024.886:31296): cwd="/"
type=PATH msg=audit(1711356024.886:31296): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mo
de=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID
="rudder"
type=PROCTITLE msg=audit(1711356024.886:31296): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711356624.862:31297): avc: denied { read } for pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=sy
stem_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711356624.862:31297): avc: denied { open } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/co
nf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissiv
e=1
type=SYSCALL msg=audit(1711356624.862:31297): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ec736600 a2=80000 a3=0 items=0 ppid=1 pid=622100 auid=4294
967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=
system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID
="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711356624.862:31297): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711356624.862:31298): avc: denied { getattr } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix
/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permis
sive=1
type=SYSCALL msg=audit(1711356624.862:31298): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295
uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system
_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudde
r-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711356624.862:31298): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711356925.344:31299): avc: denied { search } for pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:sy
stem_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711356925.344:31299): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecf3a600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=CWD msg=audit(1711356925.344:31299): cwd="/"
type=PATH msg=audit(1711356925.344:31299): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder"
type=PROCTITLE msg=audit(1711356925.344:31299): proctitle="/opt/rudder/bin/rudder-relayd"
type=SERVICE_START msg=audit(1711357383.470:31300): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1711357383.470:31301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=AVC msg=audit(1711357526.091:31302): avc: denied { read } for pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711357526.091:31302): avc: denied { open } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357526.091:31302): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ec535600 a2=80000 a3=0 items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711357526.091:31302): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711357526.092:31303): avc: denied { getattr } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357526.092:31303): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711357526.092:31303): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711357824.826:31304): avc: denied { search } for pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1711357824.826:31304): avc: denied { read } for pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711357824.826:31304): avc: denied { open } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357824.826:31304): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecb38600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=CWD msg=audit(1711357824.826:31304): cwd="/"
type=PATH msg=audit(1711357824.826:31304): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder"
type=PROCTITLE msg=audit(1711357824.826:31304): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711357824.826:31305): avc: denied { getattr } for pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357824.826:31305): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=PROCTITLE msg=audit(1711357824.826:31305): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711358424.737:31306): avc: denied { search } for pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711358424.737:31306): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecf3a600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder"
type=CWD msg=audit(1711358424.737:31306): cwd="/"
type=PATH msg=audit(1711358424.737:31306): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder"
type=PROCTITLE msg=audit(1711358424.737:31306): proctitle="/opt/rudder/bin/rudder-relayd"
type=AVC msg=audit(1711359031.729:31307): avc: denied { read } for pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
Updated by Alexis Mousset 8 months ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset 8 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Félix DALLIDET
- Pull Request set to https://github.com/Normation/rudder/pull/5552
Updated by Alexis Mousset 8 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|60b58c926395ed420eb5535e3da7372a5e81d7b8.
Updated by Vincent MEMBRÉ 8 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.0.7 which was released today.
Actions