Issue #1253
closedrpm install on consumer fails with 403 forbidden
Description
Trying to install rpm from a pulp repo seems to be failing with 403
[root@mgmt4 ~]# rpm -qa pulp-server
pulp-server-2.7.0-0.4.beta.el7.noarch
[root@mgmt4 ~]#
[root@mgmt4 ~]# yum install cat
Loaded plugins: product-id, pulp-profile-update, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package cat.noarch 0:1.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================
Package Arch Version Repository Size
=============================================================================================
Installing:
cat noarch 1.0-1 zoo 2.4 k
Transaction Summary
=============================================================================================
Install 1 Package
Total download size: 2.4 k
Installed size: 42
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for zoo
cat-1.0-1.noarch.rpm FAILED
https://mgmt4.rhq.lab.eng.bos.redhat.com/pulp/repos/repos/pulp/pulp/demo_repos/zoo/cat-1.0-1.noarch.rpm: [Errno 14] HTTPS Error 403 - Forbidden
Trying other mirror.
Error downloading packages:
cat-1.0-1.noarch: [Errno 256] No more mirrors to try.
Updated by bmbouter over 8 years ago
This is due to an selinux issue. In 2.7.0 with story #106, working directories moved from /var/lib/pulp/ to /var/cache/pulp/. Throughout Pulp, files are commonly built in the working path and then copied into their locations at /var/lib/pulp/publishes/*. SELinux applies the pulp_var_cache_t label when the files are created in /var/cache/pulp/*, and those selinux security contexts are being incorrectly maintained when the files are copied into /var/lib/pulp/*. I expect the files to receive the httpd_sys_rw_content_t security context in /var/lib/pulp/*.
This needs to be fixed specifically for this test, but I expect we will have problems anywhere we create files in the working directory, move the files into place, and then try to have apache serve those files. We should look to fix this problem more broadly before 2.7.0 is released.
The fix should be to copy the file but without extended attributes. We also need to replace moves with copy commands. Pulp can no longer move files when those files are made in the working directory and then moved into place. Cleanup of the working directory contents should not be necessary since they auto-clean up on worker restart.
After discussion in #selinux, the following advice was given about specific modifications to our Python code from perfinion:
09:14:23 perfinion | bmbouter: shutil module right? change copy2 to copy1, and copytree has an arg for the copy_func make that copy too, and just change move to
| shutil.copy
09:14:30 perfinion | bmbouter: that should be all thats required
09:15:19 perfinion | bmbouter: this is hte problem in copy2: Changed in version 3.3: Added follow_symlinks argument, try to copy extended file system attributes too
| (currently Linux only).
09:15:35 perfinion | bmbouter: copying all the xattrs is exactly the opposite of what you want, so use copy() instead
Updated by bmbouter over 8 years ago
- Priority changed from Normal to High
- Severity changed from 2. Medium to 3. High
Updated by ipanova@redhat.com over 8 years ago
- Assignee set to ipanova@redhat.com
Updated by amacdona@redhat.com over 8 years ago
- Status changed from NEW to ASSIGNED
Updated by dkliban@redhat.com over 8 years ago
The actual copying of files occurs in each plugin. Here [0] is where it is in RPM. We should probably just change it to copy [1]. You don't have to worry about the removal of the files because it occurs later in the code.
This needs to be done for all the plugins.
[1] https://docs.python.org/2/library/shutil.html#shutil.move
[2] https://docs.python.org/2/library/shutil.html#shutil.copy
Added by ipanova@redhat.com over 8 years ago
Updated by ipanova@redhat.com over 8 years ago
We decided in this PR to fix the specific case and open a separate issue that would take care of getting rid of move and copytree where there is need.
Updated by ipanova@redhat.com over 8 years ago
- Project changed from Pulp to RPM Support
- Status changed from ASSIGNED to POST
Updated by ipanova@redhat.com over 8 years ago
Brian, issue with copytree is that in python 2.X copytree does not have arg for the copy_func, so you cannot change copy2 to copy1
Updated by ipanova@redhat.com over 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset de1895ede2f24731dcf6f52321beaee6b71c15a4.
Updated by dkliban@redhat.com over 8 years ago
- Status changed from MODIFIED to 5
Updated by amacdona@redhat.com over 8 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Wrong SElinux label prevents rpm installation.
closes #1253 https://pulp.plan.io/issues/1253