Issue #1764
closed
SELinux denial on Celery attempting to read resolv.conf
Description
It seems that we are missing an SELinux permission and are being denied read access on the resolv.conf file:
type=AVC msg=audit(1457559807.664:2336): avc: denied { read } for pid=4876 comm="celery" name="resolv.conf" dev="dm-0" ino=261406 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0
audit2allow recommends this policy change:
$ sudo audit2allow -al
#============= celery_t ==============
allow celery_t net_conf_t:lnk_file read;
Updated by rbarlow about 7 years ago
I believe that this is more than just an SELinux issue. It seems that the sender parameter we are receiving from Celery in our initialize_worker() function is not the hostname of the worker, as documented by us and by Celery. Instead, on Fedora Rawhide it is "resource_manager@/root". This is the reason we are receiving the "No such file or directory" error.
I've filed a Celery bug about the incorrect documentation, as well as the missing hostname.
I believe the missing hostname will not be a problem for us, as we do not recommend that our users share /var/cache/pulp across machines.
Updated by rbarlow about 7 years ago
- Subject changed from Pulp celery workers cannot start on Fedora Rawhide, and likely Fedora 24 to SELinux denial on Celery attempting to read resolv.conf
- Severity changed from 3. High to 2. Medium
This non-starting turned out to be a bug in systemd, and it looks like there was even an update to the systemd package overnight that fixed it on my dev box. Isn't it great when bugs get fixed without you even having to report them? The issue was that our unit files were using the %%h macro to substitute the hostname into Celery's --hostname argument. It turned out that systemd had been substituting "/root" instead of the hostname.
However, the SELinux denial remains so I am leaving this ticket open.
Updated by rbarlow about 7 years ago
- Severity changed from 2. Medium to 3. High
This SELinux denial is causing Celery to be unable to resolve hostnames. During a docker sync, I see this error:
Mar 10 12:18:56 boole.usersys.redhat.com pulp[1601]: nectar.downloaders.threaded:WARNING: Skipping requests to registry-1.docker.io due to repeated connection failures: HTTPSConnectionPool(host='registry-1.docker.io', port=443): Max retr
ies exceeded with url: /v2/ (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fa5a8872510>: Failed to establish a new connection: [Errno -2] Name or service not known',))
Updated by mhrivnak about 7 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to rbarlow
- Platform Release set to 2.8.1
- Triaged changed from No to Yes
Updated by rbarlow about 7 years ago
- Status changed from ASSIGNED to POST
I am still testing this change, but here is a pull request with a fix that does work on Rawhide:
Updated by rbarlow about 7 years ago
After running pulp-smash, I see one more recommendation from audit2allow:
#============= celery_t ==============
allow celery_t self:process setrlimit;
Added by Randy Barlow about 7 years ago
Added by Randy Barlow about 7 years ago
Allow the Celery process to resolve domain names.
Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the sysnet_dns_name_resolve policy to the celery_t context which allows it to resolve hostnames.
https://pulp.plan.io/issues/1764
fixes #1764
Updated by Anonymous about 7 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|c1011cde0b26a48ac75af8fd7b31755c468f6095.
Added by Randy Barlow about 7 years ago
Allow the Celery process to resolve domain names.
Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the auth_use_nss policy to the celery_t context which allows it to resolve hostnames.
https://pulp.plan.io/issues/1764
fixes #1764
Added by Randy Barlow about 7 years ago
Allow the Celery process to resolve domain names.
Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the auth_use_nss policy to the celery_t context which allows it to resolve hostnames.
https://pulp.plan.io/issues/1764
fixes #1764
Updated by Anonymous about 7 years ago
- Status changed from 5 to MODIFIED
Applied in changeset pulp|d2521fabb524ec0faafa77eeb0432145bca3e70d.
Updated by semyers about 7 years ago
- Platform Release changed from 2.8.1 to 2.8.2
Updated by semyers about 7 years ago
- Platform Release changed from 2.8.2 to 2.8.3
Updated by pthomas@redhat.com about 7 years ago
- Status changed from 5 to 6
verified
[root@ibm-x3550m3-09 ~]# sudo audit2allow -al
[root@ibm-x3550m3-09 ~]# rpm -qa |grep pulp
python-pulp-common-2.8.3-0.2.beta.el7.noarch
python-kombu-3.0.33-5.pulp.el7.noarch
python-pulp-rpm-common-2.8.3-0.2.beta.el7.noarch
pulp-server-2.8.3-0.2.beta.el7.noarch
pulp-docker-plugins-2.0.1-0.2.beta.el7.noarch
pulp-admin-client-2.8.3-0.2.beta.el7.noarch
python-isodate-0.5.0-4.pulp.el7.noarch
python-pulp-puppet-common-2.8.3-0.2.beta.el7.noarch
python-pulp-docker-common-2.0.1-0.2.beta.el7.noarch
python-pulp-oid_validation-2.8.3-0.2.beta.el7.noarch
pulp-rpm-plugins-2.8.3-0.2.beta.el7.noarch
pulp-puppet-plugins-2.8.3-0.2.beta.el7.noarch
python-pulp-bindings-2.8.3-0.2.beta.el7.noarch
pulp-puppet-admin-extensions-2.8.3-0.2.beta.el7.noarch
pulp-docker-admin-extensions-2.0.1-0.2.beta.el7.noarch
python-pulp-streamer-2.8.3-0.2.beta.el7.noarch
python-pulp-repoauth-2.8.3-0.2.beta.el7.noarch
pulp-selinux-2.8.3-0.2.beta.el7.noarch
python-pulp-client-lib-2.8.3-0.2.beta.el7.noarch
pulp-rpm-admin-extensions-2.8.3-0.2.beta.el7.noarch
[root@ibm-x3550m3-09 ~]#
Updated by semyers about 7 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
.
Allow the Celery process to resolve domain names.
Fedora Rawhide restricts access to /etc/resolv.conf. This commit adds the sysnet_dns_name_resolve policy to the celery_t context which allows it to resolve hostnames.
https://pulp.plan.io/issues/1764
fixes #1764