Project

Profile

Help

Issue #1764

closed

SELinux denial on Celery attempting to read resolv.conf

Added by rbarlow about 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Master
Platform Release:
2.8.3
OS:
Fedora Rawhide
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

It seems that we are missing an SELinux permission and are being denied read access on the resolv.conf file:

type=AVC msg=audit(1457559807.664:2336): avc:  denied  { read } for  pid=4876 comm="celery" name="resolv.conf" dev="dm-0" ino=261406 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

audit2allow recommends this policy change:

$ sudo audit2allow -al

#============= celery_t ==============
allow celery_t net_conf_t:lnk_file read;
Actions #1

Updated by rbarlow about 8 years ago

I believe that this is more than just an SELinux issue. It seems that the sender parameter we are receiving from Celery in our initialize_worker() function is not the hostname of the worker, as documented by us and by Celery. Instead, on Fedora Rawhide it is "resource_manager@/root". This is the reason we are receiving the "No such file or directory" error.

I've filed a Celery bug about the incorrect documentation, as well as the missing hostname.

I believe the missing hostname will not be a problem for us, as we do not recommend that our users share /var/cache/pulp across machines.

https://github.com/celery/celery/issues/3104

Actions #2

Updated by rbarlow about 8 years ago

  • Subject changed from Pulp celery workers cannot start on Fedora Rawhide, and likely Fedora 24 to SELinux denial on Celery attempting to read resolv.conf
  • Severity changed from 3. High to 2. Medium

This non-starting turned out to be a bug in systemd, and it looks like there was even an update to the systemd package overnight that fixed it on my dev box. Isn't it great when bugs get fixed without you even having to report them? The issue was that our unit files were using the %%h macro to substitute the hostname into Celery's --hostname argument. It turned out that systemd had been substituting "/root" instead of the hostname.

However, the SELinux denial remains so I am leaving this ticket open.

Actions #3

Updated by rbarlow about 8 years ago

  • Severity changed from 2. Medium to 3. High

This SELinux denial is causing Celery to be unable to resolve hostnames. During a docker sync, I see this error:

Mar 10 12:18:56 boole.usersys.redhat.com pulp[1601]: nectar.downloaders.threaded:WARNING: Skipping requests to registry-1.docker.io due to repeated connection failures: HTTPSConnectionPool(host='registry-1.docker.io', port=443): Max retr
ies exceeded with url: /v2/ (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fa5a8872510>: Failed to establish a new connection: [Errno -2] Name or service not known',))
Actions #4

Updated by rbarlow about 8 years ago

  • Description updated (diff)
Actions #5

Updated by mhrivnak about 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to rbarlow
  • Platform Release set to 2.8.1
  • Triaged changed from No to Yes
Actions #6

Updated by rbarlow about 8 years ago

  • Status changed from ASSIGNED to POST

I am still testing this change, but here is a pull request with a fix that does work on Rawhide:

https://github.com/pulp/pulp/pull/2477

Actions #7

Updated by rbarlow about 8 years ago

After running pulp-smash, I see one more recommendation from audit2allow:

#============= celery_t ==============
allow celery_t self:process setrlimit;

Added by Randy Barlow about 8 years ago

Revision c1011cde | View on GitHub

Allow the Celery process to resolve domain names.

Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the sysnet_dns_name_resolve policy to the celery_t context which allows it to resolve hostnames.

https://pulp.plan.io/issues/1764

fixes #1764

Added by Randy Barlow about 8 years ago

Revision c1011cde | View on GitHub

Allow the Celery process to resolve domain names.

Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the sysnet_dns_name_resolve policy to the celery_t context which allows it to resolve hostnames.

https://pulp.plan.io/issues/1764

fixes #1764

Actions #8

Updated by Anonymous about 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #9

Updated by semyers about 8 years ago

  • Status changed from MODIFIED to 5

Added by Randy Barlow almost 8 years ago

Revision d2521fab | View on GitHub

Allow the Celery process to resolve domain names.

Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the auth_use_nss policy to the celery_t context which allows it to resolve hostnames.

https://pulp.plan.io/issues/1764

fixes #1764

Added by Randy Barlow almost 8 years ago

Revision d2521fab | View on GitHub

Allow the Celery process to resolve domain names.

Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the auth_use_nss policy to the celery_t context which allows it to resolve hostnames.

https://pulp.plan.io/issues/1764

fixes #1764

Actions #10

Updated by Anonymous almost 8 years ago

  • Status changed from 5 to MODIFIED
Actions #11

Updated by semyers almost 8 years ago

  • Platform Release changed from 2.8.1 to 2.8.2
Actions #12

Updated by semyers almost 8 years ago

  • Platform Release changed from 2.8.2 to 2.8.3
Actions #13

Updated by semyers almost 8 years ago

  • Status changed from MODIFIED to 5
Actions #14

Updated by pthomas@redhat.com almost 8 years ago

  • Status changed from 5 to 6

verified

[root@ibm-x3550m3-09 ~]# sudo audit2allow -al

[root@ibm-x3550m3-09 ~]# rpm -qa |grep pulp
python-pulp-common-2.8.3-0.2.beta.el7.noarch
python-kombu-3.0.33-5.pulp.el7.noarch
python-pulp-rpm-common-2.8.3-0.2.beta.el7.noarch
pulp-server-2.8.3-0.2.beta.el7.noarch
pulp-docker-plugins-2.0.1-0.2.beta.el7.noarch
pulp-admin-client-2.8.3-0.2.beta.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
python-pulp-puppet-common-2.8.3-0.2.beta.el7.noarch
python-pulp-docker-common-2.0.1-0.2.beta.el7.noarch
python-pulp-oid_validation-2.8.3-0.2.beta.el7.noarch
pulp-rpm-plugins-2.8.3-0.2.beta.el7.noarch
pulp-puppet-plugins-2.8.3-0.2.beta.el7.noarch
python-pulp-bindings-2.8.3-0.2.beta.el7.noarch
pulp-puppet-admin-extensions-2.8.3-0.2.beta.el7.noarch
pulp-docker-admin-extensions-2.0.1-0.2.beta.el7.noarch
python-pulp-streamer-2.8.3-0.2.beta.el7.noarch
python-pulp-repoauth-2.8.3-0.2.beta.el7.noarch
pulp-selinux-2.8.3-0.2.beta.el7.noarch
python-pulp-client-lib-2.8.3-0.2.beta.el7.noarch
pulp-rpm-admin-extensions-2.8.3-0.2.beta.el7.noarch
[root@ibm-x3550m3-09 ~]# 
Actions #15

Updated by semyers almost 8 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #17

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF