Issue #1730
closed
SELinux prevents streamer from starting if 'gcc' is installed
Description
Have an up-to-date EL6 machine with gcc installed and SELinux enforcing. Then attempt to start the streamer with:
sudo service pulp_streamer start
The streamer will not start, and you'll receive a traceback similar to:
[root@rhel6-vanilla-np-qeos-78533 pulp]# service pulp_streamer start
Starting pulp_streamer...
/usr/lib/python2.6/site-packages/pulp/server/db/connection.py:159: DeprecationWarning: add_son_manipulator is deprecated
_DATABASE.add_son_manipulator(NamespaceInjector())
/usr/lib/python2.6/site-packages/pulp/server/db/model/base.py:96: DeprecationWarning: ensure_index is deprecated. Use create_index instead.
unique=unique, background=True)
Traceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 694, in run
runApp(config)
File "/usr/lib64/python2.6/site-packages/twisted/scripts/twistd.py", line 23, in runApp
_SomeApplicationRunner(config).run()
File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 411, in run
self.application = self.createOrGetApplication()
File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 494, in createOrGetApplication
application = getApplication(self.config, passphrase)
--- <exception caught here> ---
File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 505, in getApplication
application = service.loadApplication(filename, style, passphrase)
File "/usr/lib64/python2.6/site-packages/twisted/application/service.py", line 390, in loadApplication
application = sob.loadValueFromFile(filename, 'application', passphrase)
File "/usr/lib64/python2.6/site-packages/twisted/persisted/sob.py", line 215, in loadValueFromFile
exec fileObj in d, d
File "/usr/share/pulp/wsgi/streamer.tac", line 56, in <module>
manager_factory.initialize()
File "/usr/lib/python2.6/site-packages/pulp/server/managers/factory.py", line 349, in initialize
from pulp.server.managers.consumer.agent import AgentManager
File "/usr/lib/python2.6/site-packages/pulp/server/managers/consumer/agent.py", line 18, in <module>
from pulp.server.agent.context import Context
File "/usr/lib/python2.6/site-packages/pulp/server/agent/context.py", line 18, in <module>
from pulp.server.agent.direct.services import ReplyHandler
File "/usr/lib/python2.6/site-packages/pulp/server/agent/direct/services.py", line 6, in <module>
from gofer.rmi.async import ReplyConsumer, Listener
File "/usr/lib/python2.6/site-packages/gofer/rmi/async.py", line 24, in <module>
from gofer.rmi.dispatcher import Reply, Return, RemoteException
File "/usr/lib/python2.6/site-packages/gofer/rmi/dispatcher.py", line 27, in <module>
from gofer.pam import authenticate as pam_authenticate
File "/usr/lib/python2.6/site-packages/gofer/pam.py", line 28, in <module>
libc = CDLL(find_library('c'))
File "/usr/lib64/python2.6/ctypes/util.py", line 209, in find_library
return _findSoname_ldconfig(name) or _get_soname(_findLib_gcc(name))
File "/usr/lib64/python2.6/ctypes/util.py", line 93, in _findLib_gcc
fdout, ccout = tempfile.mkstemp()
File "/usr/lib64/python2.6/tempfile.py", line 286, in mkstemp
dir = gettempdir()
File "/usr/lib64/python2.6/tempfile.py", line 254, in gettempdir
tempdir = _get_default_tempdir()
File "/usr/lib64/python2.6/tempfile.py", line 201, in _get_default_tempdir
("No usable temporary directory found in %s" % dirlist))
exceptions.IOError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/var/www']
Failed to load application: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/var/www']
OK
Updated by bmbouter almost 8 years ago
After discussion w/ jortel, the proposed adjustment is in gofer. The idea is to move all of the import time statements in pam.py[0] to a guarded function called _pam_initialize() which will be called exactly once upon the first call to authenticate[1].
A test of the viability was done on a machine that showed the issue in the first place. pam.py was modified to remove all code except authenticate() which performed a no-op. With this change and SELinux enforcing the streamer starts normally as expected.
[0]: https://github.com/jortel/gofer/blob/b4d47d770cdcd4e457cdeb07c8780abb1dd000bd/src/gofer/pam.py
[1]: https://github.com/jortel/gofer/blob/b4d47d770cdcd4e457cdeb07c8780abb1dd000bd/src/gofer/pam.py#L111
Updated by jortel@redhat.com almost 8 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to jortel@redhat.com
Updated by jortel@redhat.com almost 8 years ago
Fixed in gofer 2.7.5 upstream. Available here: https://copr.fedorainfracloud.org/coprs/jortel/gofer/ and will get built in Fedora updates and koji ASAP.
Updated by jortel@redhat.com almost 8 years ago
- Status changed from ASSIGNED to MODIFIED
- Triaged changed from Yes to No
Updated by jortel@redhat.com almost 8 years ago
Updated external deps: https://github.com/pulp/pulp/pull/2464
Updated by dkliban@redhat.com almost 8 years ago
- Status changed from MODIFIED to 5
Updated by dkliban@redhat.com over 7 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.