Issue #1352
closed
When pulp-server SElinux policy fails to install user is not notified
Description
When installing Pulp, sometimes the Pulp SELinux policies will fail to install due to the selinux-policy package not being as current as the one the package was built against. This fails silently at install time and later causes issues like these:
There was an internal server error while trying to access the Pulp application.
One possible cause is that the database needs to be migrated to the latest
version. If this is the case, run pulp-manage-db and restart the services. More
information may be found in Apache's log.
This appears to be caused by an selinux denial:
type=AVC msg=audit(1446667384.635:236): avc: denied { getattr } for pid=1485 comm="httpd" path="/
srv/pulp/webservices.wsgi" dev="vda1" ino=387475 scontext=system_u:system_r:httpd_t:s0 tcontext=syst
em_u:object_r:var_t:s0 tclass=file permissive=0
I was able to log in after running "setenforce 0".
- Subject changed from avc denial with pulp 2.7.0-0.8.rc.fc22 to When pulp-server SElinux policy fails to install user is not notified
pulp-selinux RPM should check if the pulp-server and pulp-celery policies are present after the install finishes. If the policies are not present, user should be notified.
Another approach could be to somehow at build time specify which SElinux package versions the policies depend on ... that way yum or dnf will take care of updating the selinux dependencies.
dkliban@redhat.com wrote:
pulp-selinux RPM should check if the pulp-server and pulp-celery policies are present after the install finishes. If the policies are not present, user should be notified.
Another approach could be to somehow at build time specify which SElinux package versions the policies depend on ... that way yum or dnf will take care of updating the selinux dependencies.
This has bit me twice, luckily the second time Dennis recognized the issue right away and saved me hours of debugging :)
- Description updated (diff)
dkliban@redhat.com wrote:
pulp-selinux RPM should check if the pulp-server and pulp-celery policies are present after the install finishes. If the policies are not present, user should be notified.
Another approach could be to somehow at build time specify which SElinux package versions the policies depend on ... that way yum or dnf will take care of updating the selinux dependencies.
The second one (having the built time add a runtime dependency to the spec file) sounds better than the first for several reasons. The second one let's yum/dnf handle user interaction, would upgrade packages as necessary automatically to actually solve the problem, and is more proactive than the first approach.
+1 to exploring option 2.
- Triaged changed from No to Yes
- Parent issue set to #1826
- Parent issue deleted (
#1826)
- Status changed from NEW to CLOSED - WONTFIX
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
Also available in: Atom
PDF
.