Issue #2167: Cannot sync repositories from filesystem with selinux enabled - Pulp

Actions

Send by e-mail Copy link

Issue #2167

closed

Cannot sync repositories from filesystem with selinux enabled

Added by daviddavis over 7 years ago. Updated about 5 years ago.

Status:

CLOSED - NOTABUG

Priority:

Normal

Assignee:

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

2.8.4

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

Steps:

getenforce # make sure selinux is on
mkdir modules
chown 777 modules
pulp-puppet-module-builder --output-dir=/modules --url=https://github.com/puppetlabs/puppetlabs-apache.git
pulp-admin puppet repo create --repo-id test --feed "file:///modules"
pulp-admin puppet repo sync run --repo-id test

The sync will fail with selinux denials:

type=AVC msg=audit(1470928423.205:2407): avc:  denied  { read } for  pid=26322 comm="celery" name="PULP_MANIFEST" dev="vda3" ino=2359298 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
type=SYSCALL msg=audit(1470928423.205:2407): arch=c000003e syscall=2 success=no exit=-13 a0=3188980 a1=0 a2=1b6 a3=24 items=0 ppid=26037 pid=26322 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1470928423.242:2408): avc:  denied  { open } for  pid=30414 comm="celery" path="/etc/hosts" dev="vda3" ino=8633 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1470928423.242:2408): arch=c000003e syscall=2 success=no exit=-13 a0=7f02bcb1c47e a1=80000 a2=1b6 a3=24 items=0 ppid=26037 pid=30414 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

I haven't tested but I think this issue may also exist for other file types like yum.

Actions

Copy link

Updated by daviddavis over 7 years ago

Subject changed from Cannot sync file repositories with selinux enabled to Cannot sync repositories from filesystem with selinux enabled

Actions

Copy link

Updated by bmbouter over 7 years ago

Status changed from NEW to CLOSED - NOTABUG
Triaged changed from No to Yes

The root cause of this error is that the files being synced have unexpected SELinux labels. Pulp can't read from user_tmp_t. I'm going to close this as NOTABUG, and mark it related to 1560 which outlines the SELinux you should apply to files before they are imported. See [0] for more info.

[0]: https://pulp.plan.io/issues/1560

Actions

Copy link