The pulpcore-worker process is getting "avc: denied { read/view }" denials whenever any pulp related actions are triggered.

Solution Verified - Updated -

Issue

  • The following selinux denials are reported in syslog whenever any pulp or content-management related actions are being performed in Red Hat Satellite 6.11+ server:

    Jul 12 18:49:17 satellite /SetroubleshootPrivileged.py[1554380]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/pulpcore
Jul 12 18:49:17 satellite setroubleshoot[1553627]: SELinux is preventing pulpcore-worker from view access on the key labeled pulpcore_server_t. For complete SELinux messages run: sealert -l 70904b4d-cb40-43fb-b09b-e4b89dfd134f
Jul 12 18:49:17 satellite setroubleshoot[1553627]: SELinux is preventing pulpcore-worker from view access on the key labeled pulpcore_server_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that pulpcore-worker should be allowed view access on key labeled pulpcore_server_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'pulpcore-worker' --raw | audit2allow -M my-pulpcoreworker#012# semodule -X 300 -i my-pulpcoreworker.pp#012
Jul 12 18:49:20 satellite /SetroubleshootPrivileged.py[1554380]: failed to retrieve rpm info for /var/lib/selinux/targeted/active/modules/400/pulpcore
Jul 12 18:49:20 satellite setroubleshoot[1553627]: SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t. For complete SELinux messages run: sealert -l 74a300db-00b4-4a13-b21c-ccbcc4dcb89f
Jul 12 18:49:20 satellite setroubleshoot[1553627]: SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that pulpcore-worker should be allowed read access on key labeled pulpcore_server_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'pulpcore-worker' --raw | audit2allow -M my-pulpcoreworker#012# semodule -X 300 -i my-pulpcoreworker.pp#012

Environment

Red Hat Satellite

  • 6.11
  • 6.12
  • 6.13

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content