rpm install on consumer fails with 403 forbidden
Trying to install rpm from a pulp repo seems to be failing with 403
[root@mgmt4 ~]# rpm -qa pulp-server pulp-server-2.7.0-0.4.beta.el7.noarch [root@mgmt4 ~]#
[root@mgmt4 ~]# yum install cat Loaded plugins: product-id, pulp-profile-update, subscription-manager Resolving Dependencies --> Running transaction check ---> Package cat.noarch 0:1.0-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================= Package Arch Version Repository Size ============================================================================================= Installing: cat noarch 1.0-1 zoo 2.4 k Transaction Summary ============================================================================================= Install 1 Package Total download size: 2.4 k Installed size: 42 Is this ok [y/d/N]: y Downloading packages: No Presto metadata available for zoo cat-1.0-1.noarch.rpm FAILED https://mgmt4.rhq.lab.eng.bos.redhat.com/pulp/repos/repos/pulp/pulp/demo_repos/zoo/cat-1.0-1.noarch.rpm: [Errno 14] HTTPS Error 403 - Forbidden Trying other mirror. Error downloading packages: cat-1.0-1.noarch: [Errno 256] No more mirrors to try.
#2 Updated by bmbouter about 6 years ago
This is due to an selinux issue. In 2.7.0 with story #106, working directories moved from /var/lib/pulp/ to /var/cache/pulp/. Throughout Pulp, files are commonly built in the working path and then copied into their locations at /var/lib/pulp/publishes/*. SELinux applies the pulp_var_cache_t label when the files are created in /var/cache/pulp/*, and those selinux security contexts are being incorrectly maintained when the files are copied into /var/lib/pulp/*. I expect the files to receive the httpd_sys_rw_content_t security context in /var/lib/pulp/*.
This needs to be fixed specifically for this test, but I expect we will have problems anywhere we create files in the working directory, move the files into place, and then try to have apache serve those files. We should look to fix this problem more broadly before 2.7.0 is released.
The fix should be to copy the file but without extended attributes. We also need to replace moves with copy commands. Pulp can no longer move files when those files are made in the working directory and then moved into place. Cleanup of the working directory contents should not be necessary since they auto-clean up on worker restart.
After discussion in #selinux, the following advice was given about specific modifications to our Python code from perfinion:
09:14:23 perfinion | bmbouter: shutil module right? change copy2 to copy1, and copytree has an arg for the copy_func make that copy too, and just change move to | shutil.copy 09:14:30 perfinion | bmbouter: that should be all thats required 09:15:19 perfinion | bmbouter: this is hte problem in copy2: Changed in version 3.3: Added follow_symlinks argument, try to copy extended file system attributes too | (currently Linux only). 09:15:35 perfinion | bmbouter: copying all the xattrs is exactly the opposite of what you want, so use copy() instead
#8 Updated by firstname.lastname@example.org about 6 years ago
The actual copying of files occurs in each plugin. Here  is where it is in RPM. We should probably just change it to copy . You don't have to worry about the removal of the files because it occurs later in the code.
This needs to be done for all the plugins.
Please register to edit this issue