Actions
Issue #1711
closed
The pulp_streamer service fails to start with SELinux errors
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Master
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
The pulp streamer fails to start during our Jenkies test runs on Fedora 22.
[jenkins@f22-vanilla-np-qeos-76048 ~]$ sudo journalctl -u pulp_streamer
-- Logs begin at Sun 2015-12-20 02:15:13 UTC, end at Tue 2016-02-23 19:54:51 UTC. --
Feb 23 19:18:57 f22-vanilla-np-qeos-76048 systemd[1]: Started The Pulp lazy content loading streamer.
Feb 23 19:18:57 f22-vanilla-np-qeos-76048 systemd[1]: Starting The Pulp lazy content loading streamer...
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: Unhandled Error
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: Traceback (most recent call last):
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 642, in run
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: runApp(config)
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/scripts/twistd.py", line 23, in runApp
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: _SomeApplicationRunner(config).run()
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 376, in run
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: self.application = self.createOrGetApplication()
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 441, in createOrGetApplication
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: application = getApplication(self.config, passphrase)
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: --- <exception caught here> ---
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/application/app.py", line 452, in getApplication
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: application = service.loadApplication(filename, style, passphrase)
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/application/service.py", line 403, in loadApplication
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: application = sob.loadValueFromFile(filename, 'application', passphrase)
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/twisted/persisted/sob.py", line 210, in loadValueFromFile
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: exec fileObj in d, d
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/share/pulp/wsgi/streamer.tac", line 10, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from pulp.server.logs import CompliantSysLogHandler
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib/python2.7/site-packages/pulp/server/logs.py", line 10, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from celery.signals import setup_logging
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib/python2.7/site-packages/celery/signals.py", line 16, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from .utils.dispatch import Signal
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib/python2.7/site-packages/celery/utils/__init__.py", line 27, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from celery.exceptions import CPendingDeprecationWarning, CDeprecationWarning
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib/python2.7/site-packages/celery/exceptions.py", line 15, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from billiard.exceptions import ( # noqa
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/billiard/__init__.py", line 51, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from .exceptions import ( # noqa
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/site-packages/billiard/exceptions.py", line 4, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from multiprocessing import (
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/multiprocessing/__init__.py", line 64, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: from multiprocessing.process import Process, current_process, active_children
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/multiprocessing/process.py", line 312, in <module>
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: _current_process = _MainProcess()
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: File "/usr/lib64/python2.7/multiprocessing/process.py", line 309, in __init__
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: self._authkey = AuthenticationString(os.urandom(32))
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: exceptions.NotImplementedError: /dev/urandom (or equivalent) not found
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 pulp_streamer[14082]: Failed to load application: /dev/urandom (or equivalent) not found
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 systemd[1]: pulp_streamer.service: main process exited, code=exited, status=1/FAILURE
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 systemd[1]: Unit pulp_streamer.service entered failed state.
Feb 23 19:18:59 f22-vanilla-np-qeos-76048 systemd[1]: pulp_streamer.service failed.
[jenkins@f22-vanilla-np-qeos-76048 ~]$
This occurs because of an SELinux denial to the random source
[jenkins@f22-vanilla-np-qeos-76048 ~]$ sudo audit2allow -a
#============= dmidecode_t ==============
#!!!! This avc can be allowed using the boolean 'global_ssp'
allow dmidecode_t urandom_device_t:chr_file read;
#============= streamer_t ==============
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow streamer_t random_device_t:chr_file read;
#!!!! This avc can be allowed using one of the these booleans:
# authlogin_nsswitch_use_ldap, global_ssp
allow streamer_t urandom_device_t:chr_file read;
[jenkins@f22-vanilla-np-qeos-76048 ~]$
Related issues
Updated by rbarlow over 8 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to rbarlow
- Triaged changed from No to Yes
Here I go, here I go on my own!
Updated by rbarlow over 8 years ago
- Status changed from ASSIGNED to POST
https://github.com/pulp/pulp/pull/2457
I have tested my current change proposal on Fedora 22. I am now setting up a RHEL 6 machine to test.
Added by rbarlow over 8 years ago
Added by rbarlow over 8 years ago
Revision 5a3d9361 | View on GitHub
Add dev_read_urand to the pulp_streamer_t policy.
This commit adds an SELinux rule to allow the streamer to access /dev/urandom.
https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711
Updated by rbarlow over 8 years ago
- Subject changed from The pulp_streamer.service fails to start on Fedora 22. to The pulp_streamer service fails to start with SELinux errors
I have determined that there were also missing permissions on EL 6, and have broadened the ticket to reflect that. The current pull request allows the streamer to start on both EL 6 and Fedora 22. I have not tested EL 7, F23, F24, or Rawhide, but I think we can leave that up to Jenkies.
Updated by rbarlow over 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|5a3d936130d5fd96811ae1098c8e3d0b3dead2da.
Updated by dkliban@redhat.com over 8 years ago
- Status changed from MODIFIED to 5
Updated by bmbouter over 8 years ago
- Has duplicate Issue #1756: pulp_streamer service fails to start with SELinux errors on RHEL6 added
Updated by dkliban@redhat.com over 8 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Actions
.
Add dev_read_urand to the pulp_streamer_t policy.
This commit adds an SELinux rule to allow the streamer to access /dev/urandom.
https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711
re #1459 fixes #1711