Project

Profile

Help

Issue #2277

Content published using move (instead of copy) causes 404 due to selinux denial.

Added by Ichimonji10 about 4 years ago. Updated over 1 year ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Category:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.10.1
Platform Release:
2.10.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 9
Quarter:

Description

Let's say one executes the following script:

pulp-admin rpm repo create --repo-id foo --feed https://repos.fedorapeople.org/pulp/pulp/fixtures/rpm/
pulp-admin rpm repo sync run --repo-id foo
wget --no-check-certificate https://localhost/pulp/repos/pulp/pulp/fixtures/rpm/bear-4.1-1.noarch.rpm
pulp-admin rpm repo delete --repo-id foo

This should work, but it doesn't under the currently nightly builds of Pulp 2.10 and 2.11. The wget step fails with an HTTP 404. Why does it fail? Because of an SELinux denial. If SELinux is disabled, the script above succeeds.

It's not just the RPM plugin that suffers from SELinux denials. Here's some journal entries from a failed RPM repository publish:

Sep 22 11:39:14 example.com pulp[8792]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._queue_reserved_task[786fdf54-f9f8-45ad-b974-8151010cb408]
Sep 22 11:39:14 example.com pulp[8730]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.publish.publish[80db8bf1-7f2f-4625-b673-30893b06bb1b]
Sep 22 11:39:14 example.com pulp[8730]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[22a530c5-a514-437c-a554-999b049b1e13]
Sep 22 11:39:14 example.com pulp[8792]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[786fdf54-f9f8-45ad-b974-8151010cb408] succeeded in 0.0355534609998s: None
Sep 22 11:39:14 example.com pulp[8730]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[80db8bf1-7f2f-4625-b673-30893b06bb1b] succeeded in 0.188737557s: {'exception': None, 'repo_id': u'15421972-73ad-45d8-a908-1f583ee01ea3', 'traceback': None, 'started': '2016-09-22T15:39:14Z',...
Sep 22 11:39:14 example.com pulp[8730]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[22a530c5-a514-437c-a554-999b049b1e13] succeeded in 0.0058686479997s: None
Sep 22 11:39:24 example.com audit[8990]: AVC avc:  denied  { getattr } for  pid=8990 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/77e0fa17-6fd4-4631-ae43-500355556f68/1474558752.03/bear-4.1-1.noarch.rpm" dev="dm-0" ino=658416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=0
Sep 22 11:39:24 example.com audit[8990]: AVC avc:  denied  { getattr } for  pid=8990 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/77e0fa17-6fd4-4631-ae43-500355556f68/1474558752.03/bear-4.1-1.noarch.rpm" dev="dm-0" ino=658416 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=0
Sep 22 11:39:24 example.com pulp[8857]: django.request:WARNING: Not Found: /var/www/pub/yum/https/repos/ddb5529c-85de-43e1-8dcc-fa2920f5d23a/bear-4.1-1.noarch.rpm
Sep 22 11:39:27 example.com audit[9039]: AVC avc:  denied  { getattr } for  pid=9039 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/15421972-73ad-45d8-a908-1f583ee01ea3/1474558754.52/bear-4.1-1.noarch.rpm" dev="dm-0" ino=658438 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=0
Sep 22 11:39:27 example.com audit[9039]: AVC avc:  denied  { getattr } for  pid=9039 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/15421972-73ad-45d8-a908-1f583ee01ea3/1474558754.52/bear-4.1-1.noarch.rpm" dev="dm-0" ino=658438 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=0
Sep 22 11:39:27 example.com pulp[8856]: django.request:WARNING: Not Found: /var/www/pub/yum/https/repos/b14dbebb-3cf6-4974-ac6c-2cd6f6198b61/bear-4.1-1.noarch.rpm
Sep 22 11:39:29 example.com pulp[8854]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS

And here's some journal entries from a failed Docker image publish:

Sep 22 13:27:02 example.com pulp[12819]: celery.worker.strategy:INFO: Received task: pulp.server.managers.repo.publish.publish[9e5329e7-b9ee-4e4a-a11f-eb443b8e9019]
Sep 22 13:27:02 example.com pulp[12819]: celery.worker.strategy:INFO: Received task: pulp.server.async.tasks._release_resource[cb9f6aa3-47d3-4701-a845-5da21e1ea713]
Sep 22 13:27:02 example.com pulp[12684]: celery.worker.job:INFO: Task pulp.server.async.tasks._queue_reserved_task[5f56d2e7-7c04-4d57-972b-f6a5bc2e3c8d] succeeded in 0.0367998849997s: None
Sep 22 13:27:03 example.com pulp[12819]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[9e5329e7-b9ee-4e4a-a11f-eb443b8e9019] succeeded in 0.712945763002s: {'exception': None, 'repo_id': u'65e8a280-d78c-4d8e-9454-4f20e5672870', 'traceback': None, 'started': '2016-09-22T17:27:02Z',...
Sep 22 13:27:03 example.com pulp[12819]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[cb9f6aa3-47d3-4701-a845-5da21e1ea713] succeeded in 0.00820000000022s: None
Sep 22 13:27:05 example.com sudo[13755]:     root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/bin/cat /var/lib/pulp/published/docker/v2/app/65e8a280-d78c-4d8e-9454-4f20e5672870.json
Sep 22 13:27:05 example.com audit[13755]: USER_CMD pid=13755 uid=0 auid=0 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=636174202F7661722F6C69622F70756C702F7075626C69736865642F646F636B65722F76322F6170702F36356538613238302D643738632D346438652D393435342D3466323065353637323837302E6A736F6E terminal=? res=success'
Sep 22 13:27:05 example.com audit[12728]: AVC avc:  denied  { getattr } for  pid=12728 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/65e8a280-d78c-4d8e-9454-4f20e5672870/1474565222.52/tags/list" dev="dm-0" ino=1073976 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=0
Sep 22 13:27:05 example.com audit[12728]: AVC avc:  denied  { getattr } for  pid=12728 comm="httpd" path="/var/lib/pulp/published/docker/v2/master/65e8a280-d78c-4d8e-9454-4f20e5672870/1474565222.52/tags/list" dev="dm-0" ino=1073976 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=0

Both of the failed publishes generated AVC avc: denied journal entries.

Here's a more full-fledged script for determining exactly what's wrong:

#!/usr/bin/env bash
#
# Demonstrate the issue with Pulp and get information about it. All statements
# with `|| true` prepended are known to return non-zero exit codes.
#
set -euo pipefail

# Configure SELinux
setenforce 0
echo > /var/log/audit/audit.log
semodule -R

# Execute problematic actions
pulp-admin rpm repo create --repo-id foo --feed https://repos.fedorapeople.org/pulp/pulp/fixtures/rpm/
pulp-admin rpm repo sync run --repo-id foo
wget --no-check-certificate https://localhost/pulp/repos/pulp/pulp/fixtures/rpm/bear-4.1-1.noarch.rpm
pulp-admin rpm repo delete --repo-id foo

# Get info
set -x
audit2allow -al
audit2allow -Ral || true
cat /var/log/audit/audit.log

In this script, SELinux is disabled, and as a result, the publish and subsequent wget succeed. Here's the last few lines of output:

+ audit2allow -al

#============= httpd_t ==============
allow httpd_t pulp_var_cache_t:lnk_file { read getattr };
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=MAC_POLICY_LOAD msg=audit(1474569379.871:2460): policy loaded auid=0 ses=7
type=AVC msg=audit(1474569390.690:2461): avc:  denied  { getattr } for  pid=23325 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/foo/1474569388.72/bear-4.1-1.noarch.rpm" dev="dm-0" ino=658518 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1474569390.690:2462): avc:  denied  { read } for  pid=23325 comm="httpd" name="bear-4.1-1.noarch.rpm" dev="dm-0" ino=658518 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=1

For constrast, when the same script is run on a days-old Pulp system that doesn't suffer from this issue, here's what the last few lines look like:

+ audit2allow -al

+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1474569380.233:7714): pid=670 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=11)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1474569380.238:7715): policy loaded auid=0 ses=105

Here's the packages on the system I used to reproduce this bug. (Jenkins shows that this issue applied to all Pulp 2.10 and 2.11 nightly builds across all OS distributions.)

$ grep PRETTY /etc/os-release && rpm -qa | sort | grep -i pulp
PRETTY_NAME="Fedora 23 (Twenty Three)"
pulp-admin-client-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
pulp-docker-admin-extensions-2.2.0-0.1.alpha.git.201.d0860fd.fc23.noarch
pulp-docker-plugins-2.2.0-0.1.alpha.git.201.d0860fd.fc23.noarch
pulp-ostree-admin-extensions-1.2.0-0.1.alpha.git.104.42d1c09.fc23.noarch
pulp-ostree-plugins-1.2.0-0.1.alpha.git.104.42d1c09.fc23.noarch
pulp-puppet-admin-extensions-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-puppet-plugins-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
pulp-python-admin-extensions-1.2.0-0.1.alpha.git.108.182206a.fc23.noarch
pulp-python-plugins-1.2.0-0.1.alpha.git.108.182206a.fc23.noarch
pulp-rpm-admin-extensions-2.11.0-0.1.alpha.git.542.ceaaaca.fc23.noarch
pulp-rpm-plugins-2.11.0-0.1.alpha.git.542.ceaaaca.fc23.noarch
pulp-selinux-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
pulp-server-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-pulp-client-lib-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-pulp-common-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-pulp-docker-common-2.2.0-0.1.alpha.git.201.d0860fd.fc23.noarch
python-pulp-oid_validation-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-pulp-ostree-common-1.2.0-0.1.alpha.git.104.42d1c09.fc23.noarch
python-pulp-puppet-common-2.11.0-0.1.alpha.git.187.e97c179.fc23.noarch
python-pulp-python-common-1.2.0-0.1.alpha.git.108.182206a.fc23.noarch
python-pulp-repoauth-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch
python-pulp-rpm-common-2.11.0-0.1.alpha.git.542.ceaaaca.fc23.noarch
python-pulp-streamer-2.11.0-0.1.alpha.git.701.0c0ee81.fc23.noarch

Related issues

Related to RPM Support - Issue #2326: Publishes failCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>
Related to Pulp - Issue #2287: Cannot get docker v2 repo tags listCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision fc9f5f94 View on GitHub
Added by jortel@redhat.com about 4 years ago

Restore SELinux file context after published files are moved. closes #2277

Revision fc9f5f94 View on GitHub
Added by jortel@redhat.com about 4 years ago

Restore SELinux file context after published files are moved. closes #2277

Revision b8e8aa3a View on GitHub
Added by jortel@redhat.com about 4 years ago

Fix AVC denials while restoring SELinux context as part of publishing. closes #2326, #2277

Revision b8e8aa3a View on GitHub
Added by jortel@redhat.com about 4 years ago

Fix AVC denials while restoring SELinux context as part of publishing. closes #2326, #2277

Revision 7766c7b4 View on GitHub
Added by dkliban@redhat.com almost 4 years ago

Removes extraneous permission from pulp-celery SELinux policy

re #2277 https://pulp.plan.io/issues/2277

Revision 7766c7b4 View on GitHub
Added by dkliban@redhat.com almost 4 years ago

Removes extraneous permission from pulp-celery SELinux policy

re #2277 https://pulp.plan.io/issues/2277

History

#1 Updated by Ichimonji10 about 4 years ago

  • Version set to Master
  • Platform Release deleted (2.10.1)

#2 Updated by pcreech about 4 years ago

  • Priority changed from High to Urgent
  • Triaged changed from No to Yes

#3 Updated by jortel@redhat.com about 4 years ago

  • Subject changed from Repository publishes silently fail to Content published using move (instead of copy) causes 404 due to selinux denial.

#4 Updated by mhrivnak about 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to jortel@redhat.com
  • Sprint/Milestone set to 26

#5 Updated by jortel@redhat.com about 4 years ago

  • Status changed from ASSIGNED to POST

#6 Updated by jortel@redhat.com about 4 years ago

  • Status changed from POST to MODIFIED

#7 Updated by Ichimonji10 about 4 years ago

This issue still affects Pulp 2.10, but not Pulp 2.11. (Downloading published content on Pulp 2.11 still fails with an HTTP 404, but due to a different permissions issue, which I'll file a bug for shortly.)

Here's the Pulp 2.10 system that I provisioned today and used for testing:

$ grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 24 (Twenty Four)"
$ rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
pulp-python-admin-extensions-1.1.2-1.fc24.noarch
pulp-python-plugins-1.1.2-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
pulp-selinux-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
pulp-server-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-common-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.8d0b470.fc24.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.eebbc61.fc24.noarch
python-pulp-python-common-1.1.2-1.fc24.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.49.41cb4ef.fc24.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.29.d8dedbe.fc24.noarch

Here's the tail end of the output of the debug script:

+ audit2allow -al

#============= httpd_t ==============
allow httpd_t pulp_var_cache_t:lnk_file { getattr read };
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=MAC_STATUS msg=audit(1475684274.080:864): enforcing=0 old_enforcing=1 auid=0 ses=5
type=USER_AVC msg=audit(1475684274.082:865): pid=655 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475684275.642:866): pid=655 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=9)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1475684275.647:867): policy loaded auid=0 ses=5
type=AVC msg=audit(1475684289.194:868): avc:  denied  { getattr } for  pid=11367 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/foo/1475684287.42/bear-4.1-1.noarch.rpm" dev="dm-0" ino=1972065 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1475684289.194:869): avc:  denied  { read } for  pid=11367 comm="httpd" name="bear-4.1-1.noarch.rpm" dev="dm-0" ino=1972065 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=1

#8 Updated by Ichimonji10 about 4 years ago

  • Status changed from MODIFIED to ASSIGNED

Setting to "ASSIGNED" pending a fix for 2.10.1.

#9 Updated by Ichimonji10 about 4 years ago

  • Version changed from Master to 2.10.1

#10 Updated by amacdona@redhat.com about 4 years ago

#11 Updated by mhrivnak about 4 years ago

  • Sprint/Milestone changed from 26 to 27

#12 Updated by amacdona@redhat.com about 4 years ago

  • Related to Issue #2287: Cannot get docker v2 repo tags list added

#13 Updated by jortel@redhat.com about 4 years ago

  • Status changed from ASSIGNED to MODIFIED

#15 Updated by Ichimonji10 about 4 years ago

  • Status changed from MODIFIED to ASSIGNED

This issue is fixed on master, but it still affects the nightly builds of Pulp 2.10. Here's the system I provisioned this morning for testing:

# grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 23 (Server Edition)"
# rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.25.57df0d9.fc23.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.25.57df0d9.fc23.noarch
pulp-ostree-admin-extensions-1.1.4-0.1.alpha.git.16.de039ba.fc23.noarch
pulp-ostree-plugins-1.1.4-0.1.alpha.git.16.de039ba.fc23.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.40.0d4e641.fc23.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.40.0d4e641.fc23.noarch
pulp-python-admin-extensions-1.1.4-0.1.alpha.git.28.71c18b3.fc23.noarch
pulp-python-plugins-1.1.4-0.1.alpha.git.28.71c18b3.fc23.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.50.9229a41.fc23.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.50.9229a41.fc23.noarch
pulp-selinux-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
pulp-server-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-pulp-common-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.25.57df0d9.fc23.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-pulp-ostree-common-1.1.4-0.1.alpha.git.16.de039ba.fc23.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.40.0d4e641.fc23.noarch
python-pulp-python-common-1.1.4-0.1.alpha.git.28.71c18b3.fc23.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.50.9229a41.fc23.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.33.61aae58.fc23.noarch

Here's the tail end of the diagnostic script:

+ audit2allow -al

#============= httpd_t ==============
allow httpd_t pulp_var_cache_t:lnk_file { getattr read };
+ audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
+ true
+ cat /var/log/audit/audit.log

type=MAC_POLICY_LOAD msg=audit(1476719747.049:2204): policy loaded auid=0 ses=3
type=AVC msg=audit(1476719764.198:2205): avc:  denied  { getattr } for  pid=19066 comm="httpd" path="/var/lib/pulp/published/yum/master/yum_distributor/foo/1476719760.84/bear-4.1-1.noarch.rpm" dev="dm-0" ino=33730722 scontext=system_u:syst
em_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1476719764.198:2206): avc:  denied  { read } for  pid=19066 comm="httpd" name="bear-4.1-1.noarch.rpm" dev="dm-0" ino=33730722 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=ln
k_file permissive=1

Here's a sample entry from journalctl, as produced by wget --no-check-certificate https://pulp.example.com/pulp/repos/ddcaedd7-6295-44b7-8329-ce62c6961b1f:

Oct 17 11:47:36 pulp.example.com audit[16705]: AVC avc:  denied  { read } for  pid=16705 comm="httpd" name="1476719146.43" dev="dm-0" ino=17680688 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=dir permissive=0
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992) Internal Server Error: /var/www/pub/yum/https/repos/ddcaedd7-6295-44b7-8329-ce62c6961b1f
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992) Traceback (most recent call last):
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 132, in get_response
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)     response = wrapped_callback(request, *callback_args, **callback_kwargs)
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 71, in view
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)     return self.dispatch(request, *args, **kwargs)
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 89, in dispatch
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)     return handler(request, *args, **kwargs)
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)   File "/usr/lib/python2.7/site-packages/pulp/server/content/web/views.py", line 173, in get
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)     return self.directory_index(path)
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)   File "/usr/lib/python2.7/site-packages/pulp/server/content/web/views.py", line 193, in directory_index
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992)     listing = os.listdir(path)
Oct 17 11:47:36 pulp.example.com pulp[16563]: django.request:ERROR: (16563-40992) OSError: [Errno 13] Permission denied: '/var/lib/pulp/published/yum/master/yum_distributor/ddcaedd7-6295-44b7-8329-ce62c6961b1f/1476719146.43'

#16 Updated by dkliban@redhat.com about 4 years ago

  • Status changed from ASSIGNED to MODIFIED

One of the PRs for this fix was missing from 2.10-dev branch. I've added it and have manually verified that the issue is fixed.

#17 Updated by semyers about 4 years ago

  • Platform Release set to 2.10.1

#18 Updated by semyers about 4 years ago

  • Status changed from MODIFIED to 5

#19 Updated by semyers almost 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#20 Updated by bmbouter over 2 years ago

  • Sprint set to Sprint 9

#21 Updated by bmbouter over 2 years ago

  • Sprint/Milestone deleted (27)

#22 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF