Project

General

Profile

Actions

Bug #24589

closed

SELinux error for downloading files

Added by Nicolas CHARLES 9 months ago. Updated 9 months ago.

Status:
Released
Priority:
N/A
Category:
System integration
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
Yes

Description

At least on rhel related system, it's not possible to download files from the shared folders, with an SELinux error

ERROR rudder_relayd::api::shared_folder::handlers: Permission denied (os error 13)

Actions #1

Updated by Alexis Mousset 9 months ago

  • Subject changed from SElinux error for downloading files to SELinux error for downloading files
Actions #2

Updated by Nicolas CHARLES 9 months ago

audit.log says

type=SYSCALL msg=audit(1711355425.344:31295): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295
 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system
_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudde
r-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711355425.344:31295): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711356024.886:31296): avc:  denied  { search } for  pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:sy
stem_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711356024.886:31296): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03cfffe600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294
967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=
system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID
="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=CWD msg=audit(1711356024.886:31296): cwd="/" 
type=PATH msg=audit(1711356024.886:31296): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mo
de=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID
="rudder" 
type=PROCTITLE msg=audit(1711356024.886:31296): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711356624.862:31297): avc:  denied  { read } for  pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=sy
stem_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711356624.862:31297): avc:  denied  { open } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/co
nf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissiv
e=1
type=SYSCALL msg=audit(1711356624.862:31297): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ec736600 a2=80000 a3=0 items=0 ppid=1 pid=622100 auid=4294
967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=
system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID
="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711356624.862:31297): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711356624.862:31298): avc:  denied  { getattr } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix
/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permis
sive=1
type=SYSCALL msg=audit(1711356624.862:31298): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295
 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system
_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudde
r-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711356624.862:31298): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711356925.344:31299): avc:  denied  { search } for  pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:sy
stem_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711356925.344:31299): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecf3a600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=CWD msg=audit(1711356925.344:31299): cwd="/" 
type=PATH msg=audit(1711356925.344:31299): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder" 
type=PROCTITLE msg=audit(1711356925.344:31299): proctitle="/opt/rudder/bin/rudder-relayd" 
type=SERVICE_START msg=audit(1711357383.470:31300): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset" 
type=SERVICE_STOP msg=audit(1711357383.470:31301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset" 
type=AVC msg=audit(1711357526.091:31302): avc:  denied  { read } for  pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711357526.091:31302): avc:  denied  { open } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357526.091:31302): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ec535600 a2=80000 a3=0 items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711357526.091:31302): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711357526.092:31303): avc:  denied  { getattr } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357526.092:31303): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711357526.092:31303): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711357824.826:31304): avc:  denied  { search } for  pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1711357824.826:31304): avc:  denied  { read } for  pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=AVC msg=audit(1711357824.826:31304): avc:  denied  { open } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357824.826:31304): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecb38600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=CWD msg=audit(1711357824.826:31304): cwd="/" 
type=PATH msg=audit(1711357824.826:31304): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder" 
type=PROCTITLE msg=audit(1711357824.826:31304): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711357824.826:31305): avc:  denied  { getattr } for  pid=622100 comm="tokio-runtime-w" path="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1711357824.826:31305): arch=c000003e syscall=332 success=yes exit=0 a0=19 a1=55934ef5b83c a2=1000 a3=fff items=0 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=statx AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=PROCTITLE msg=audit(1711357824.826:31305): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711358424.737:31306): avc:  denied  { search } for  pid=622100 comm="tokio-runtime-w" name="shared-files" dev="dm-0" ino=8321775 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1711358424.737:31306): arch=c000003e syscall=257 success=yes exit=25 a0=ffffff9c a1=7f03ecf3a600 a2=80000 a3=0 items=1 ppid=1 pid=622100 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="tokio-runtime-w" exe="/opt/rudder/bin/rudder-relayd" subj=system_u:system_r:rudder_relayd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=openat AUID="unset" UID="rudder-relayd" GID="rudder" EUID="rudder-relayd" SUID="rudder-relayd" FSUID="rudder-relayd" EGID="rudder" SGID="rudder" FSGID="rudder" 
type=CWD msg=audit(1711358424.737:31306): cwd="/" 
type=PATH msg=audit(1711358424.737:31306): item=0 name="/var/rudder/configuration-repository/shared-files/zabbix/conf/zabbix_agentd.win.conf" inode=34565955 dev=fd:00 mode=0100644 ouid=0 ogid=994 rdev=00:00 obj=unconfined_u:object_r:public_content_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="rudder" 
type=PROCTITLE msg=audit(1711358424.737:31306): proctitle="/opt/rudder/bin/rudder-relayd" 
type=AVC msg=audit(1711359031.729:31307): avc:  denied  { read } for  pid=622100 comm="tokio-runtime-w" name="zabbix_agentd.win.conf" dev="dm-0" ino=34565955 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=unconfined_u:object_r:public_content_t:s0 tclass=file permissive=1

Actions #3

Updated by Nicolas CHARLES 9 months ago

  • Regression changed from No to Yes
Actions #4

Updated by Alexis Mousset 9 months ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #5

Updated by Alexis Mousset 9 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to Félix DALLIDET
  • Pull Request set to https://github.com/Normation/rudder/pull/5552
Actions #6

Updated by Alexis Mousset 9 months ago

  • Status changed from Pending technical review to Pending release
Actions #7

Updated by Vincent MEMBRÉ 9 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.0.7 which was released today.

Actions

Also available in: Atom PDF