Project

Profile

Help

Issue #1484

closed

celery services do not start on Fedora Server or Fedora Workstation with SELinux enabled

Added by cduryee about 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Master
Platform Release:
2.7.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

If you install pulp nightly (pulp-server-2.8.0-0.1.alpha.git.0.8976233.fc23.noarch) and attempt to start pulp_celerybeat, you will get:

systemd-coredump[1697]: Process 1689 (celery) of user 48 dumped core.

Stack trace of thread 1689:
#0  0x00007f39f0f4ba98 raise (libc.so.6)
#1  0x00007f39f0f4d69a abort (libc.so.6)
#2  0x00007f39f2126985 log_assert_failed (/usr/lib64/libnss_myhostname.so.2)
#3  0x00007f39f2126ea5 safe_close (/usr/lib64/libnss_myhostname.so.2)
#4  0x00007f39f2123f32 sd_netlink_open (/usr/lib64/libnss_myhostname.so.2)
#5  0x00007f39f21250a4 local_addresses.constprop.4 (/usr/lib64/libnss_myhostna
#6  0x00007f39f21239ae _nss_myhostname_gethostbyname4_r (/usr/lib64/libnss_myh
#7  0x00007f39f0ffecbf gaih_inet (libc.so.6)
#8  0x00007f39f10020a6 getaddrinfo (libc.so.6)
#9  0x00007f39ec774c65 setipaddr (_socketmodule.so)
#10 0x00007f39ec7774e7 socket_gethostbyaddr (_socketmodule.so)
#11 0x00007f39f1cf98be PyEval_EvalFrameEx (libpython2.7.so.1.0)
#12 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#13 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#14 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#15 0x00007f39f1cfa7d9 PyEval_EvalCode (libpython2.7.so.1.0)
#16 0x00007f39f1d0a4dc PyImport_ExecCodeModuleEx (libpython2.7.so.1.0)
#17 0x00007f39f1d0a762 load_source_module (libpython2.7.so.1.0)
#18 0x00007f39f1d0b3f0 import_submodule (libpython2.7.so.1.0)
#19 0x00007f39f1d0b918 ensure_fromlist (libpython2.7.so.1.0)
#20 0x00007f39f1d0c15a PyImport_ImportModuleLevel (libpython2.7.so.1.0)
#21 0x00007f39f1cf1e48 builtin___import__ (libpython2.7.so.1.0)
#22 0x00007f39f1c61b03 PyObject_Call (libpython2.7.so.1.0)
#23 0x00007f39f1cf3ac7 PyEval_CallObjectWithKeywords (libpython2.7.so.1.0)
#24 0x00007f39f1cf661b PyEval_EvalFrameEx (libpython2.7.so.1.0)
#25 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#26 0x00007f39f1cfa7d9 PyEval_EvalCode (libpython2.7.so.1.0)
#27 0x00007f39f1d0a4dc PyImport_ExecCodeModuleEx (libpython2.7.so.1.0)
#28 0x00007f39f1d0a762 load_source_module (libpython2.7.so.1.0)
#29 0x00007f39f1d0b3f0 import_submodule (libpython2.7.so.1.0)
#30 0x00007f39f1d0b67f load_next (libpython2.7.so.1.0)
#31 0x00007f39f1d0c098 PyImport_ImportModuleLevel (libpython2.7.so.1.0)
#32 0x00007f39f1cf1e48 builtin___import__ (libpython2.7.so.1.0)
#33 0x00007f39f1cf98be PyEval_EvalFrameEx (libpython2.7.so.1.0)
#34 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#35 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#36 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#37 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#38 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#39 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#40 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#41 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#42 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#43 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#44 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#45 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#46 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#47 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#48 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#49 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#50 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#51 0x00007f39f1cf95c6 PyEval_EvalFrameEx (libpython2.7.so.1.0)
#52 0x00007f39f1cfa6b4 PyEval_EvalCodeEx (libpython2.7.so.1.0)
#53 0x00007f39f1cfa7d9 PyEval_EvalCode (libpython2.7.so.1.0)
#54 0x00007f39f1d13bdf run_mod (libpython2.7.so.1.0)
#55 0x00007f39f1d14db2 PyRun_FileExFlags (libpython2.7.so.1.0)
#56 0x00007f39f1d15fc7 PyRun_SimpleFileExFlags (libpython2.7.so.1.0)
#57 0x00007f39f1d281e1 Py_Main (libpython2.7.so.1.0)
#58 0x00007f39f0f37580 __libc_start_main (libc.so.6)
#59 0x0000559ca9765839 _start (python2.7)

This appears to be an selinux issue:

  1. audit2allow -a

#============= celery_t ==============
allow celery_t self:netlink_route_socket setopt;

disabling selinux allows celerybeat to start normally.


Related issues

Blocks Pulp - Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp CLOSED - CURRENTRELEASE

Actions
Actions #1

Updated by bmbouter about 8 years ago

  • Related to Issue #1386: python-kombu is newer on fedora23, so fedora23 is missing several bugfixes that our patches fix added
Actions #2

Updated by bmbouter about 8 years ago

  • Related to deleted (Issue #1386: python-kombu is newer on fedora23, so fedora23 is missing several bugfixes that our patches fix)
Actions #3

Updated by bmbouter about 8 years ago

  • Subject changed from (selinux) pulp_celerybeat does not start on fedora23 to celery services do not start on fedora23
  • Priority changed from Normal to High
  • Version set to 2.7.1
  • Platform Release set to 2.7.2
  • OS set to Fedora 23

A quick investigation revealed that this issue affects pulp_celerybeat, pulp_workers, and pulp_resource_manager. Given that, I'm marking it has High priority. When this is fixed it should be in the oldest 2.x line which currently is 2.7.x. It does not seem to affect httpd.

Actions #4

Updated by bmbouter about 8 years ago

I used coredumpctl and installed the python debuginfo libraries and I produced a python traceback corresponding to the above GDB traceback:

#13 Frame 0x7f246836d608, for file /usr/lib64/python2.7/socket.py, line 141, in getfqdn (name='beav-2.8-repro.os1.phx2.redhat.com')
    hostname, aliases, ipaddrs = gethostbyaddr(name)
#17 Frame 0x7f246834ae50, for file /usr/lib/python2.7/site-packages/pulp/server/config.py, line 113, in <module> ()
    'server_name': socket.getfqdn(),
#30 Frame 0x7f246836c988, for file /usr/lib/python2.7/site-packages/pulp/server/async/celery_instance.py, line 14, in <module> ()
    from pulp.server.config import config
#42 Frame 0x7f2468cceb90, for file /usr/lib64/python2.7/importlib/__init__.py, line 37, in import_module (name=u'pulp.server.async.celery_instance', package=None)
    __import__(name)
#46 Frame 0x7f24685fd830, for file /usr/lib/python2.7/site-packages/celery/utils/imports.py, line 101, in import_from_cwd (module=u'pulp.server.async.celery_instance', imp=<function at remote 0x7f24696a3b18>, package=None)
    return imp(module, package=package)
#51 Frame 0x563f5c136890, for file /usr/lib/python2.7/site-packages/kombu/utils/__init__.py, line 92, in symbol_by_name (name=u'pulp.server.async.celery_instance.celery', aliases={}, imp=<function at remote 0x7f2468a35b18>, package=None, sep='.', default=None, kwargs={}, module_name=u'pulp.server.async.celery_instance', _=u'.', cls_name=u'celery')
    module = imp(module_name, package=package, **kwargs)
#55 Frame 0x7f246836c5d8, for file /usr/lib/python2.7/site-packages/celery/bin/base.py, line 487, in symbol_by_name (self=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, name=u'pulp.server.async.celery_instance.celery', imp=<function at remote 0x7f2468a35b18>)
    return symbol_by_name(name, imp=imp)
#59 Frame 0x563f5c147b40, for file /usr/lib/python2.7/site-packages/celery/app/utils.py, line 222, in find_app (app=u'pulp.server.async.celery_instance.celery', symbol_by_name=<instancemethod at remote 0x7f246a225e10>, imp=<function at remote 0x7f2468a35b18>, Celery=<type at remote 0x563f5c285510>)
    sym = symbol_by_name(app, imp=imp)
#63 Frame 0x7f246836c400, for file /usr/lib/python2.7/site-packages/celery/bin/base.py, line 484, in find_app (self=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, app=u'pulp.server.async.celery_instance.celery', find_app=<function at remote 0x7f2468364050>)
    return find_app(app, symbol_by_name=self.symbol_by_name)
#67 Frame 0x563f5c16cff0, for file /usr/lib/python2.7/site-packages/celery/bin/base.py, line 464, in setup_app_from_commandline (self=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, argv=['/usr/bin/celery', 'beat', '--app=pulp.server.async.celery_instance.celery', '--scheduler=pulp.server.async.scheduler.Scheduler'], preload_options={u'app': u'pulp.server.async.celery_instance.celery'}, quiet=None, workdir=None, app=u'pulp.server.async.celery_instance.celery', preload_loader=None, loader=(None, u'default'), broker=None, config=None)
    self.app = self.find_app(app)
#71 Frame 0x7f2468cded00, for file /usr/lib/python2.7/site-packages/celery/bin/base.py, line 304, in execute_from_commandline (self=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, argv=['/usr/bin---Type <return> to continue, or q <return> to quit---
/celery', 'beat', '--app=pulp.server.async.celery_instance.celery', '--scheduler=pulp.server.async.scheduler.Scheduler'])
    argv = self.setup_app_from_commandline(argv)
#75 Frame 0x7f246836c228, for file /usr/lib/python2.7/site-packages/celery/bin/celery.py, line 769, in execute_from_commandline (self=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, argv=['/usr/bin/celery', 'beat', '--app=pulp.server.async.celery_instance.celery', '--scheduler=pulp.server.async.scheduler.Scheduler'])
    super(CeleryCommand, self).execute_from_commandline(argv)))
#79 Frame 0x7f2468cced70, for file /usr/lib/python2.7/site-packages/celery/bin/celery.py, line 81, in main (argv=None, cmd=<CeleryCommand(description=None, stdout=<file at remote 0x7f246ff30150>, app=None, _no_color=False, quiet=False, _colored=None, stderr=<file at remote 0x7f246ff301e0>, get_app=<instancemethod at remote 0x7f2469480c30>) at remote 0x7f2468376110>, freeze_support=<function at remote 0x7f2468a25398>)
    cmd.execute_from_commandline(argv)
#83 Frame 0x7f2469d7e208, for file /usr/lib/python2.7/site-packages/celery/__main__.py, line 30, in main (main=<function at remote 0x7f24680d0c08>)
    main()
#87 Frame 0x7f246fe1dcc8, for file /usr/bin/celery, line 9, in <module> ()
    load_entry_point('celery==3.1.11', 'console_scripts', 'celery')()
Actions #5

Updated by bmbouter about 8 years ago

This was introduced in 2.7.0-0.3.beta[0]. I have not confirmed if it affects other distributions. I think that is important to do because if it's just f23+ we want to have the selinux policy introduce the new rule conditionally based on distro. That is the next step.

[0]: https://github.com/pulp/pulp/commit/dcdb09e0c2211e0d458a1ac1dc6b73176de951ec

Actions #6

Updated by semyers about 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to semyers

I've got a working installs for el6 and el7, where I'll try to reproduce this

Actions #7

Updated by semyers about 8 years ago

  • Status changed from ASSIGNED to NEW
  • Assignee deleted (semyers)

Using a slightly more recent nightly (Jan 7: 2.8.0-0.1.alpha.git.0.dedc13d.el6 & pulp-server-2.8.0-0.1.alpha.git.0.dedc13d.el7), I'm not able to reproduce this on el6 and el7. pulp_celerybeat, pulp_workers, and pulp_resource_manager are working, so I think this is indeed isolated to f23+. I can test again with 2.7 if desired.

My selinux fu is weak, so I'm putting this ticket back in the pool.

Actions #8

Updated by mhrivnak about 8 years ago

  • Triaged changed from No to Yes
Actions #9

Updated by bmbouter about 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter
Actions #10

Updated by bmbouter about 8 years ago

  • Version changed from 2.7.1 to Master

This is from a nightly so setting Version to master

Actions #11

Updated by semyers about 8 years ago

Just to be super clear: I tested with the most recent (2.8.0-0.1.alpha.git.0.dedc13d at the time) nightly, on RHEL 6 and 7, with selinux Enforcing. I did not test CentOS.

Actions #12

Updated by bmbouter about 8 years ago

I'm reproducing with Fedora 22 and 23 with SELinux Enforcing, and I will adjust and test the new policy on the Fedora 23 box.

Actions #13

Updated by bmbouter about 8 years ago

I the pulp current nightly (2.8.0-0.1.alpha.git.361.d99c61f) on fedora 22 and fedora 23 and they worked for me. I ran `dnf update` before doing the install, and afterwards everything starts normally. Basic zoo repo sync also works as expected.

Fedora 22

[fedora@bmbouter-1484-f23 yum.repos.d]$ sudo getenforce
Enforcing
[fedora@bmbouter-1484-f23 yum.repos.d]$ 
[fedora@bmbouter-1484-f23 yum.repos.d]$ sudo semodule -l | grep pulp
pulp-celery
pulp-server
[fedora@bmbouter-1484-f23 yum.repos.d]$ ls -laZ /var/lib/pulp
total 28
drwxr-xr-x.  6 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:49 .
drwxr-xr-x. 28 root   root   system_u:object_r:var_lib_t:s0              4096 Jan  8 19:47 ..
drwxr-xr-x.  3 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:49 content
drwxr-xr-x.  4 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:13 published
-rw-r--r--.  1 apache apache system_u:object_r:httpd_sys_rw_content_t:s0    1 Jan  8 19:46 sn.dat
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:13 static
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 08:05 uploads
[fedora@bmbouter-1484-f23 yum.repos.d]$ rpm -qa | grep pulp
pulp-rpm-plugins-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
pulp-rpm-admin-extensions-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
pulp-rpm-handlers-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
python-pulp-common-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
python-pulp-client-lib-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-server-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-puppet-admin-extensions-2.8.0-0.1.alpha.git.229.c18f035.fc23.noarch
pulp-agent-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
python-pulp-rpm-common-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
pulp-consumer-client-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
python-pulp-oid_validation-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-puppet-handlers-2.8.0-0.1.alpha.git.229.c18f035.fc23.noarch
pulp-rpm-yumplugins-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
pulp-puppet-consumer-extensions-2.8.0-0.1.alpha.git.229.c18f035.fc23.noarch
python-pulp-puppet-common-2.8.0-0.1.alpha.git.229.c18f035.fc23.noarch
python-pulp-bindings-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-admin-client-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
python-pulp-repoauth-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-puppet-plugins-2.8.0-0.1.alpha.git.229.c18f035.fc23.noarch
pulp-selinux-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch
pulp-rpm-consumer-extensions-2.8.0-0.1.alpha.git.361.d99c61f.fc23.noarch
python-pulp-agent-lib-2.8.0-0.1.alpha.git.0.83f7d1a.fc23.noarch

Fedora 22

[fedora@bmbouter-1484-f22 yum.repos.d]$ sudo getenforce
Enforcing
[fedora@bmbouter-1484-f22 yum.repos.d]$ sudo semodule -l | grep pulp
pulp-celery     2.8.0   
pulp-server     2.8.0   
[fedora@bmbouter-1484-f22 yum.repos.d]$ ls -laZ /var/lib/pulp
total 28
drwxr-xr-x.  6 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:49 .
drwxr-xr-x. 27 root   root   system_u:object_r:var_lib_t:s0              4096 Jan  8 19:47 ..
drwxr-xr-x.  3 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:49 content
drwxr-xr-x.  4 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:29 published
-rw-r--r--.  1 apache apache system_u:object_r:httpd_sys_rw_content_t:s0    1 Jan  8 19:46 sn.dat
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 19:29 static
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 07:56 uploads
[fedora@bmbouter-1484-f22 yum.repos.d]$ rpm -qa | grep pulp
python-pulp-bindings-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-rpm-plugins-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
pulp-puppet-consumer-extensions-2.8.0-0.1.alpha.git.229.c18f035.fc22.noarch
python-isodate-0.5.0-4.pulp.fc22.noarch
python-pulp-agent-lib-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-consumer-client-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-server-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-puppet-plugins-2.8.0-0.1.alpha.git.229.c18f035.fc22.noarch
pulp-rpm-admin-extensions-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
pulp-agent-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
python-pulp-common-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
python-pulp-puppet-common-2.8.0-0.1.alpha.git.229.c18f035.fc22.noarch
python-kombu-3.0.24-10.pulp.fc22.noarch
python-pulp-oid_validation-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-rpm-yumplugins-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
pulp-puppet-handlers-2.8.0-0.1.alpha.git.229.c18f035.fc22.noarch
pulp-selinux-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
python-pulp-client-lib-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-admin-client-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch
pulp-puppet-admin-extensions-2.8.0-0.1.alpha.git.229.c18f035.fc22.noarch
pulp-rpm-consumer-extensions-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
pulp-rpm-handlers-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
python-pulp-rpm-common-2.8.0-0.1.alpha.git.361.d99c61f.fc22.noarch
python-pulp-repoauth-2.8.0-0.1.alpha.git.0.83f7d1a.fc22.noarch

cduryee, I'm not able to reproduce it. I did a dnf update before beginning the installation, could you try to reproduce with a fresh f23 image that has been `dnf update`ed before the installation began. Any other info you can provide would be helpful.

Actions #14

Updated by bmbouter about 8 years ago

Also I looked back at your machine and the selinux state looks the same. Here is your machine that reproduces the issue.

[fedora@beav-2 ~]$ sudo getenforce
Enforcing
[fedora@beav-2 ~]$ sudo semodule -l | grep pulp
pulp-celery
pulp-server
[fedora@beav-2 pulp]$ ls -laZ /var/lib/pulp
total 28
drwxr-xr-x.  6 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  8 20:04 .
drwxr-xr-x. 25 root   root   system_u:object_r:var_lib_t:s0              4096 Jan  6 22:03 ..
drwxr-xr-x.  3 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  6 23:50 content
drwxr-xr-x.  4 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  6 22:03 published
-rw-r--r--.  1 apache apache system_u:object_r:httpd_sys_rw_content_t:s0    1 Jan  6 23:46 sn.dat
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  6 22:03 static
drwxr-xr-x.  2 apache apache system_u:object_r:httpd_sys_rw_content_t:s0 4096 Jan  5 07:55 uploads
Actions #15

Updated by cduryee about 8 years ago

I did a dnf update on the machine, restorecon -Rv /var/lib/pulp, and restarted celerybeat but got the same stack still. The semodule command shows that the correct modules are loaded.

Is there an additional command I need to run to get things updated?

Actions #16

Updated by bmbouter about 8 years ago

cduryee You can uninstall pulp-selinux and reinstall it to cause the pulp-celery and pulp-server selinux modules reinstall against the updated selinux. I think reproducing on a new machine would be a good test too. I can provide the commands I used if that is helpful.

Actions #17

Updated by bmbouter about 8 years ago

  • Status changed from ASSIGNED to CLOSED - WORKSFORME

After some IRC conversation, the reporter and I agreed to close the bug as WORKSFORME and if it reproduces it will be reopened with new information.

Actions #18

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from CLOSED - WORKSFORME to NEW
  • Assignee deleted (bmbouter)

I experienced this issue with the 2.8.0 beta on Fedora 23.

I removed the policy that was installed. Recompiled the policy on same machine. Installed the new policy. Continued experiencing the problem. I consistently would receive the following output from audit2allow:

$ sudo audit2allow -Ral

require {
        type celery_t;
        class netlink_route_socket setopt;
}
Actions #19

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to dkliban@redhat.com
Actions #20

Updated by dkliban@redhat.com about 8 years ago

  • Platform Release changed from 2.7.2 to 2.8.0
Actions #21

Updated by rbarlow about 8 years ago

  • Platform Release changed from 2.8.0 to 2.7.2

Dennis, I believe the triage team had changed this to 2.7.2 because it is currently broken in our stable 2.7 release.

Additionally, I wanted to say that this is reproducible on my Rawhide development box with the official Rawhide Pulp 2.8 packages.

Actions #22

Updated by dkliban@redhat.com about 8 years ago

  • Blocks Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp added
Actions #23

Updated by bmbouter about 8 years ago

  • Subject changed from celery services do not start on fedora23 to celery services do not start on Fedora Server or Fedora Workstation with SELinux enabled
  • Assignee changed from dkliban@redhat.com to bmbouter
  • OS deleted (Fedora 23)

Once again I couldn't reproduce it yesterday. After careful analysis it appears that all images I was trying to reproduce it on were in OS1 which uses Fedora Cloud as it's basis, and other reproducer machines are running Fedora Workstation or Fedora Server. That is likely a meaningful difference because if the underlying packages are slightly different, SELinux may require slightly different permissions. I believe there is a deficiency in the policy so a change should be made there. This information uncovers another important detail: any Fedora Server or Fedora Workstation with SELinux enabled running 2.7.0+ is affected. I've retitled the bug as such, and I will fix in 2.7-dev in case we ever release another 2.7 release.

Added by bmbouter about 8 years ago

Revision 23143fc3 | View on GitHub

Switches SELinux netlink_route_socket to use a Refpol macro

The old statement whitelisted explicit permissions and was not fully complete. It worked on most distributions but not all. This Refpol version will use a superset which is maintained in Refpol and is appropriate for use anywhere Refpol is available.

closes #1484 https://pulp.plan.io/issues/1484

Added by bmbouter about 8 years ago

Revision 23143fc3 | View on GitHub

Switches SELinux netlink_route_socket to use a Refpol macro

The old statement whitelisted explicit permissions and was not fully complete. It worked on most distributions but not all. This Refpol version will use a superset which is maintained in Refpol and is appropriate for use anywhere Refpol is available.

closes #1484 https://pulp.plan.io/issues/1484

Actions #24

Updated by bmbouter about 8 years ago

  • Status changed from ASSIGNED to POST
Actions #25

Updated by bmbouter about 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #26

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from MODIFIED to 5
Actions #27

Updated by dkliban@redhat.com almost 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #28

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF