Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #1128

closed

permission denied with selinux enforcing when sync repo with a local feed

Added by igulina@redhat.com over 9 years ago. Updated over 4 years ago.

Status:
CLOSED - NOTABUG
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.6.3
Platform Release:
OS:
RHEL 6
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:

Description

I have a feeling like this bz is not new, and I saw this scenario before, not sure if I reported it earlier, I couldn't find it.

Verifying #995 on pulp 2.6.3 rhel6:

>> rpm -qa pulp-server
pulp-server-2.6.3-0.2.beta.el6.noarch

>> getenforce
Enforcing

1. Download and unzip anywhere https://pulp.plan.io/attachments/download/124/repo.tar.gz There will be a directory zoo5
2. create rpm repo with --feed=file:///path/to/zoo5
3. sync this repo, see an error:

pulp-admin rpm repo sync run --repo-id zaika1
+----------------------------------------------------------------------+
                   Synchronizing Repository [zaika1]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[-]
... failed

[Errno 13] Permission denied: u'///tmp/zoo5/repodata/repomd.xml'

Task Failed

Importer indicated a failed response

4. Change selinux to permissive and sync again, evrth is ok:

>> setenforce 0
>> getenforce
Permissive
>> pulp-admin rpm repo sync run --repo-id zaika1
+----------------------------------------------------------------------+
                   Synchronizing Repository [zaika1]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[-]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       0/0 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed

Task Succeeded

Copying files
[-]
... completed

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
8 of 8 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[==================================================] 100%
2 of 2 items
... completed

Publishing Comps file
[==================================================] 100%
3 of 3 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed

Task Succeeded
Actions
Copy link
 #1

Updated by bmbouter over 9 years ago

@igulina, can you paste the denial line from audit.log showing the selinux denial please?

Actions
Copy link
 #2

Updated by igulina@redhat.com over 9 years ago

  • Subject changed from permission denied with selinux enforcing when sync repo to permission denied with selinux enforcing when sync repo with a local feed
  • Version set to 2.6.3
Actions
Copy link
 #3

Updated by igulina@redhat.com over 9 years ago 

>>  ausearch -m avc

time->Thu Jul  9 18:19:28 2015
type=SYSCALL msg=audit(1436480368.933:2950885): arch=c000003e syscall=5 success=yes exit=0 a0=1f a1=7fffd33ce0d0 a2=7fffd33ce0d0 a3=0 items=0 ppid=7145 pid=7223 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=20998 comm="python" exe=2F7573722F62696E2F707974686F6E202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436480368.933:2950885): avc:  denied  { getattr } for  pid=7223 comm="python" path="/var/lib/pulp/zoo5/repodata/repomd.xml" dev=xvda1 ino=3803614 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Thu Jul  9 18:19:28 2015
type=SYSCALL msg=audit(1436480368.934:2950886): arch=c000003e syscall=5 success=yes exit=0 a0=1f a1=7fffd33ce190 a2=7fffd33ce190 a3=100028 items=0 ppid=7145 pid=7223 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=20998 comm="python" exe=2F7573722F62696E2F707974686F6E202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436480368.934:2950886): avc:  denied  { getattr } for  pid=7223 comm="python" path="/var/lib/pulp/zoo5/repodata/repomd.xml" dev=xvda1 ino=3803614 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Thu Jul  9 18:19:28 2015
type=SYSCALL msg=audit(1436480368.946:2950887): arch=c000003e syscall=2 success=yes exit=31 a0=2022fb0 a1=0 a2=1b6 a3=0 items=0 ppid=7145 pid=7223 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=20998 comm="python" exe=2F7573722F62696E2F707974686F6E202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436480368.946:2950887): avc:  denied  { open } for  pid=7223 comm="python" name="06661e2a9839cf0beebcf409410ca4f93c09081f4e772fd0d03e1faf62705a11-comps.xml" dev=xvda1 ino=3803607 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1436480368.946:2950887): avc:  denied  { read } for  pid=7223 comm="python" name="06661e2a9839cf0beebcf409410ca4f93c09081f4e772fd0d03e1faf62705a11-comps.xml" dev=xvda1 ino=3803607 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Thu Jul  9 18:56:58 2015
type=SYSCALL msg=audit(1436482618.757:2951026): arch=c000003e syscall=5 success=yes exit=0 a0=1f a1=7fffd33ce0d0 a2=7fffd33ce0d0 a3=0 items=0 ppid=7145 pid=7223 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=20998 comm="python" exe=2F7573722F62696E2F707974686F6E202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436482618.757:2951026): avc:  denied  { getattr } for  pid=7223 comm="python" path="/var/lib/pulp/zoo5/repodata/repomd.xml" dev=xvda1 ino=3803614 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

time->Thu Jul  9 18:56:58 2015
type=SYSCALL msg=audit(1436482618.757:2951025): arch=c000003e syscall=2 success=yes exit=31 a0=260c3a0 a1=0 a2=1b6 a3=0 items=0 ppid=7145 pid=7223 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=20998 comm="python" exe=2F7573722F62696E2F707974686F6E202864656C6574656429 subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436482618.757:2951025): avc:  denied  { open } for  pid=7223 comm="python" name="repomd.xml" dev=xvda1 ino=3803614 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1436482618.757:2951025): avc:  denied  { read } for  pid=7223 comm="python" name="repomd.xml" dev=xvda1 ino=3803614 scontext=unconfined_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Actions
Copy link
 #4

Updated by bmbouter over 9 years ago

Thanks for the logs. This is a documentation bug because we lack the documentation to explain to the user what file contexts files in a local feed need to have. The files in this example carry: "unconfined_u:object_r:admin_home_t:s0" but Pulp can't read that context (by design). Instead the files should be relabeled to one of the following contexts:

I think the best one would be "unconfined_u:object_r:httpd_sys_content_t:s0".

If that doesn't work then it should be: "unconfined_u:object_r:httpd_sys_rw_content_t:s0".

If it's in /tmp/ then I expect it to use: "unconfined_u:object_r:pulp_tmp_t:s0".

We should write docs about the expected selinux contexts for local feeds to resolve this bug.

Actions
Copy link
 #5

Updated by igulina@redhat.com over 9 years ago

bmbouter, I tried to unzip this tar to different directories:

[Errno 13] Permission denied: u'///var/lib/pulp/zoo5/repodata/repomd.xml'
[Errno 13] Permission denied: u'///root/zoo5/repodata/repomd.xml'
[Errno 13] Permission denied: u'///tmp/zoo5/repodata/repomd.xml'
[Errno 13] Permission denied: u'///home/ec2-user/zoo5/repodata/repomd.xml'

Actions
Copy link
 #6

Updated by bmbouter over 9 years ago

selinux carries its own security file contexts for each file and folder on a filesystem. These aren't POSIX permissions and they aren't dependent on location in the filesystem. Unzipping them in different locations will leave you with the same selinux file contexts no matter where you put them. I learn a lot from Dan Walsh's blog posts, here is one on file contexts. http://danwalsh.livejournal.com/4208.html

Try a relabel with one of those commands using the file contexts recommended above.

Actions
Copy link
 #7

Updated by igulina@redhat.com over 9 years ago

Nice, will check that. Thank you =)

Actions
Copy link
 #8

Updated by mhrivnak over 9 years ago

  • Category set to 23
  • Triaged changed from No to Yes
  • Tags Documentation added
Actions
Copy link
 #9

Updated by igulina@redhat.com over 9 years ago

httpd_sys_rw_content_t doesn't work

>> ll -Z /home/ec2-user/zoo5/
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 CHANGESET
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 cheetah-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 create.sh
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 elephant-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 empty.iso
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 giraffe-0.3-0.8.noarch.rpm
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 images
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 lion-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 monkey-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 penguin-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 PULP_MANIFEST
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 repodata
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 squirrel-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 updateinfo.xml
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 walrus-0.3-0.8.noarch.rpm

>> ll -Z /home/ec2-user/
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_home_t:s0 repo.tar.gz
drwxr-xr-x. apache   apache   unconfined_u:object_r:httpd_sys_content_t:s0 zoo5

>> pulp-admin rpm repo create --repo-id sys_local --feed=file:///home/ec2-user/zoo5/
Successfully created repository [sys_local]
>> pulp-admin rpm repo sync run --repo-id sys_local
+----------------------------------------------------------------------+
                  Synchronizing Repository [sys_local]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Task Failed

Error retrieving metadata: Not found

httpd_sys_rw_content_t doesn't work too

>> ll -Z /home/ec2-user/
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_home_t:s0 repo.tar.gz
drwxr-xr-x. apache   apache   unconfined_u:object_r:httpd_sys_rw_content_t:s0 zoo5
>> ll -Z /home/ec2-user/zoo5/
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 CHANGESET
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 cheetah-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 create.sh
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 elephant-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 empty.iso
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 giraffe-0.3-0.8.noarch.rpm
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 images
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 lion-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 monkey-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 penguin-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 PULP_MANIFEST
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 repodata
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 squirrel-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 updateinfo.xml
-rw-r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 walrus-0.3-0.8.noarch.rpm

>> pulp-admin rpm repo create --repo-id sys_rw_local --feed=file:///home/ec2-user/zoo5/
Successfully created repository [sys_rw_local]

>> pulp-admin -u admin -p admin rpm repo sync run --repo-id sys_rw_local
+----------------------------------------------------------------------+
                Synchronizing Repository [sys_rw_local]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Task Failed

Error retrieving metadata: Not found

Only with pulp_tmp_t evrth is OK:

>> ll -Z /tmp/
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 repo.tar.gz
drwx------. root     root     system_u:object_r:tmp_t:s0       systemd-private-r2C5xF
drwx------. root     root     system_u:object_r:tmp_t:s0       systemd-private-sy49NU
drwxr-xr-x. apache   apache   unconfined_u:object_r:pulp_tmp_t:s0 zoo5

>> ll -Z /tmp/zoo5/
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 CHANGESET
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 cheetah-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 create.sh
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 elephant-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 empty.iso
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 giraffe-0.3-0.8.noarch.rpm
drwxr-xr-x. apache apache unconfined_u:object_r:pulp_tmp_t:s0 images
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 lion-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 monkey-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 penguin-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 PULP_MANIFEST
drwxr-xr-x. apache apache unconfined_u:object_r:pulp_tmp_t:s0 repodata
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 squirrel-0.3-0.8.noarch.rpm
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 updateinfo.xml
-rw-r--r--. apache apache unconfined_u:object_r:pulp_tmp_t:s0 walrus-0.3-0.8.noarch.rpm

>> pulp-admin rpm repo create --repo-id tmp_repo --feed=file:///tmp/zoo5/
Successfully created repository [tmp_repo]

>> pulp-admin rpm repo sync run --repo-id tmp_repo
+----------------------------------------------------------------------+
                  Synchronizing Repository [tmp_repo]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[-]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       8/8 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 3/3 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed

Task Succeeded

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
8 of 8 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[==================================================] 100%
2 of 2 items
... completed

Publishing Comps file
[==================================================] 100%
3 of 3 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed

Task Succeeded

bmbouter, please notice there today there were no any the denial lines with ausearch -m avc command:

>> ausearch -m avc
----
time->Thu Jul  9 06:52:49 2015
type=SYSCALL msg=audit(1436439169.827:2707): arch=c000003e syscall=2 success=no exit=-13 a0=2ffc010 a1=0 a2=1b6 a3=fffff000 items=0 ppid=12342 pid=12439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436439169.827:2707): avc:  denied  { read } for  pid=12439 comm="celery" name="repomd.xml" dev="xvda2" ino=1688187 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
----
time->Thu Jul  9 07:13:33 2015
type=SYSCALL msg=audit(1436440413.414:2717): arch=c000003e syscall=2 success=no exit=-13 a0=3b27470 a1=0 a2=1b6 a3=fffff000 items=0 ppid=12342 pid=12439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1436440413.414:2717): avc:  denied  { read } for  pid=12439 comm="celery" name="repomd.xml" dev="xvda2" ino=1688187 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

>> date
Thu Jul 16 07:54:24 EDT 2015

Buuuuut, tail -F /var/log/audit/audit.log returned me this

type=AVC msg=audit(1437048785.079:20696): avc:  denied  { search } for  pid=12439 comm="celery" name="ec2-user" dev="xvda2" ino=25832755 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1437048785.079:20696): arch=c000003e syscall=2 success=no exit=-13 a0=399cd90 a1=0 a2=1b6 a3=fffff000 items=0 ppid=12342 pid=12439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1437048785.079:20697): avc:  denied  { search } for  pid=12439 comm="celery" name="ec2-user" dev="xvda2" ino=25832755 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
type=SYSCALL msg=audit(1437048785.079:20697): arch=c000003e syscall=2 success=no exit=-13 a0=3bd5540 a1=0 a2=1b6 a3=fffff000 items=0 ppid=12342 pid=12439 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

Only after I changed SElinux label of the user folder it worked:

>> semanage fcontext -a -t httpd_sys_rw_content_t "/home/ec2-user"
>> restorecon -Rv "/home/ec2-user"
restorecon reset /home/ec2-user context unconfined_u:object_r:user_home_dir_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
>> ll -Z /home/
drwx-----x. ec2-user ec2-user unconfined_u:object_r:httpd_sys_rw_content_t:s0 ec2-user
>> pulp-admin rpm repo sync run --repo-id repo
+----------------------------------------------------------------------+
                    Synchronizing Repository [repo]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[-]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       0/0 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 3/3 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed

Task Succeeded

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
8 of 8 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[==================================================] 100%
2 of 2 items
... completed

Publishing Comps file
[==================================================] 100%
3 of 3 items
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed

Task Succeeded

But, /home/ec2-user always should have user_home_dir_t label, shouldn't it? Isn't it a celery issue? Or I'm wrong at some point?

Actions
Copy link
 #10

Updated by igulina@redhat.com over 9 years ago

But on pulp-server-2.6.3-0.2.beta.el6.noarch I couldn't set a pulp_tmp_t on /tmp/zoo5 directory

>> pulp-admin rpm repo sync run --repo-id malinka
+----------------------------------------------------------------------+
                   Synchronizing Repository [malinka]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.

Downloading metadata...
[-]
... failed

[Errno 13] Permission denied: u'///tmp/zoo5/repodata/repomd.xml'

Task Failed

Importer indicated a failed response

>> ll -Z /tmp
drwxr-xr-x. root     root     unconfined_u:object_r:tmp_t:s0   hsperfdata_root
srwxrwxrwx. mongodb  mongodb  unconfined_u:object_r:mongod_tmp_t:s0 mongodb-27017.sock
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 repo.tar.gz
drwxr-xr-x. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 zoo5

>> sudo semanage fcontext -a -t pulp_tmp_t "/tmp/zoo5" 
/usr/sbin/semanage: Type pulp_tmp_t is invalid, must be a file or device type

>> sudo semanage fcontext -a -t httpd_sys_content_t "/tmp/zoo5"
>> ll -Z /tmp
drwxr-xr-x. root     root     unconfined_u:object_r:tmp_t:s0   hsperfdata_root
srwxrwxrwx. mongodb  mongodb  unconfined_u:object_r:mongod_tmp_t:s0 mongodb-27017.sock
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 repo.tar.gz
drwxr-xr-x. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 zoo5
>>  restorecon -v /tmp/zoo5/
restorecon reset /tmp/zoo5 context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0
>> ll -Z /tmp
drwxr-xr-x. root     root     unconfined_u:object_r:tmp_t:s0   hsperfdata_root
srwxrwxrwx. mongodb  mongodb  unconfined_u:object_r:mongod_tmp_t:s0 mongodb-27017.sock
-rw-rw-r--. ec2-user ec2-user unconfined_u:object_r:user_tmp_t:s0 repo.tar.gz
drwxr-xr-x. ec2-user ec2-user unconfined_u:object_r:httpd_sys_content_t:s0 zoo5

>> sudo semanage fcontext -a -t pulp_tmp_t "/tmp/zoo5"
/usr/sbin/semanage: Type pulp_tmp_t is invalid, must be a file or device type

However on rhel7, pulp 2.7.0-0.4 there is such a type, see the previous comment.

Actions
Copy link
 #11

Updated by igulina@redhat.com over 9 years ago

  • Blocks Issue #995: Syncing yum repo raises error added
Actions
Copy link
 #12

Updated by bmbouter about 9 years ago

  • Blocks deleted (Issue #995: Syncing yum repo raises error)
Actions
Copy link
 #13

Updated by bmbouter over 8 years ago

I don't believe this is an actual bug, but the root cause is the selinux filesystem labels are wrong. The docs are deficient in this area though, but fixing that is already tracked under https://pulp.plan.io/issues/1560

Actions
Copy link
 #14

Updated by bmbouter over 8 years ago

  • Status changed from NEW to CLOSED - NOTABUG
Actions
Copy link
 #15

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added
Actions
Copy link
 #16

Updated by bmbouter over 4 years ago

  • Category deleted (23)
Actions
Send by e-mail Copy link

Also available in: Atom PDF