Conversation
This change fixes SELinux AVC denials that occur when upgrading pulpcore
from 3.73.15 to 3.85.1. The pulpcore-worker process now monitors the
/etc directory for configuration file changes using inotify.
The AVC denial was:
avc: denied { watch } for pid=... comm="pulpcore-worker" path="/etc"
scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:etc_t:s0
Changes:
- Add etc_t type to require section
- Allow pulpcore_t domain to watch etc_t directories
This is a minimal and targeted fix that only grants the specific watch
permission needed for configuration file monitoring.
| read_files_pattern(pulpcore_server_t, pulpcore_etc_t, pulpcore_etc_t) | ||
|
|
||
| # Allow pulpcore-worker to watch /etc directory for configuration changes | ||
| allow pulpcore_t etc_t:dir watch; |
There was a problem hiding this comment.
Shouldn't watching pulpcore_etc_t be sufficient? Or is it literally watching /etc? Can you link to the code change that introduced this?
There was a problem hiding this comment.
We don't know what introduced this (still under investigation), but it's really all /etc.
Also, I managed to repro this in pulpcore-content too, so it needs pulpcore_server_t too
There was a problem hiding this comment.
So after disabling permissive on pulpcore_t/pulpcore_server_t, I managed to repro this issue and get an usefull error:
Oct 8 09:33:08 pipe-katello-server-nightly-centos9-stream pulpcore-worker-1[100288]: pulp [294f2a3b-71be-4740-a21b-7ed728eb485e]: aiodns:WARNING: Failed to create DNS resolver channel with automatic monitoring of resolver configuration changes. This usually means the system ran out of inotify watches. Falling back to socket state callback. Consider increasing the system inotify watch limit: Failed to initialize c-ares channel
We used aiodns 3.2.0 in 3.73, but bumped it to 3.5.0 for 3.85, as part of that (more precisely in 3.3.0), it gained the above c-ares/pycares thing (see aio-libs/aiodns#145) (later enhanced for the above message in aio-libs/aiodns#151)
So this is a legit change and we should allow that.
There was a problem hiding this comment.
So it monitors /etc in case /etc/resolv.conf is updated (recreated)? Guess we can't be any more specific than etc_t in that case.
evgeni
changed the title
|
(I'm running a last install pipeline with the packit build to verify, will merge then) |
3 participants
This change fixes SELinux AVC denials that occur when upgrading pulpcore from 3.73.15 to 3.85.1. The pulpcore-worker process now monitors the /etc directory for configuration file changes using inotify.
The AVC denial was:
avc: denied { watch } for pid=... comm="pulpcore-worker" path="/etc" scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:etc_t:s0
Changes:
This is a minimal and targeted fix that only grants the specific watch permission needed for configuration file monitoring.