Through exploit I managed to raise the complete traceback:
pulp[14698]: celery.worker.job:ERROR: (14698-91008) Task pulp.server.tasks.repository.delete[423a6f92-df2b-484e-b87d-fd7fcf9f675d] raised unexpected: IOError(13, 'Permission denied')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) Traceback (most recent call last):
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
pulp[14698]: celery.worker.job:ERROR: (14698-91008) R = retval = fun(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 516, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008) dist_controller.delete(distributor.repo_id, distributor.distributor_id)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/local.py", line 167, in <lambda>
pulp[14698]: celery.worker.job:ERROR: (14698-91008) __call__ = lambda x, *a, **kw: x._get_current_object()(*a, **kw)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(Task, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return super(PulpTask, self).__call__(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 438, in __protected_call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return orig(self, *args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/celery/app/task.py", line 420, in __call__
pulp[14698]: celery.worker.job:ERROR: (14698-91008) return self.run(*args, **kwargs)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/distributor.py", line 133, in delete
pulp[14698]: celery.worker.job:ERROR: (14698-91008) dist_instance.distributor_removed(repo.to_transfer_repo(), call_config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/plugins/file/distributor.py", line 55, in distributor_removed
pulp[14698]: celery.worker.job:ERROR: (14698-91008) self.unpublish_repo(repo, config)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/distributor.py", line 76, in unpublish_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008) publish.remove_repository_protection(transfer_repo.repo_obj)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/iso_distributor/publish.py", line 78, in remove_repository_protection
pulp[14698]: celery.worker.job:ERROR: (14698-91008) protected_repo_utils.delete_protected_repo(relative_path)
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 63, in delete_protected_repo
pulp[14698]: celery.worker.job:ERROR: (14698-91008) f.save()
pulp[14698]: celery.worker.job:ERROR: (14698-91008) File "/usr/lib/python2.7/site-packages/pulp/repoauth/protected_repo_utils.py", line 143, in save
pulp[14698]: celery.worker.job:ERROR: (14698-91008) f = open(self.filename, 'w')
pulp[14698]: celery.worker.job:ERROR: (14698-91008) IOError: [Errno 13] Permission denied: '/etc/pki/pulp/content/pulp-protected-repos'
When the denial occurs it produces the following SELinux denials:
type=AVC msg=audit(1455821948.486:3856): avc: denied { write } for pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821948.486:3856): arch=c000003e syscall=2 success=no exit=-13 a0=4f390f0 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1455821951.136:3864): avc: denied { write } for pid=24813 comm="python" name="content" dev=dm-1 ino=146462 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1455821951.136:3864): arch=c000003e syscall=2 success=no exit=-13 a0=4f43b50 a1=241 a2=1b6 a3=0 items=0 ppid=24702 pid=24813 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=25 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
Adds pulp_cert_t manage files and dirs to pulp-celery SELinux policy
closes #1688 https://pulp.plan.io/issues/1688