Project

Profile

Help

Issue #2387

closed

Publishes fail on RHEL 6

Added by Ichimonji10 about 8 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Urgent
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.10.2
Platform Release:
2.10.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 11
Quarter:

Description

To reproduce this issue, provision a RHEL 6 system, install Pulp on it, and execute the following script:

pulp-admin rpm repo create --repo-id foo --feed https://repos.fedorapeople.org/pulp/pulp/fixtures/rpm-unsigned/
pulp-admin rpm repo sync run --repo-id foo
wget --no-check-certificate https://localhost/pulp/repos/pulp/pulp/fixtures/rpm-unsigned/bear-4.1-1.noarch.rpm
pulp-admin rpm repo delete --repo-id foo

The pulp-admin rpm repo sync run --repo-id foo command generates an error:

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
32 of 32 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[                                                  ] 0%
0 of 4 items

Task Failed

[Errno 13] Permission denied

Disabling SELinux fixes this error. To diagnose this error, I wrote up this script:

#!/usr/bin/env bash
#
# Demonstrate the issue with Pulp and get information about it. All statements
# with `|| true` prepended are known to return non-zero exit codes.
#
set -euo pipefail

# Configure SELinux
setenforce 0
echo > /var/log/audit/audit.log
semodule -R

# Execute problematic actions
pulp-admin rpm repo create --repo-id foo --feed https://repos.fedorapeople.org/pulp/pulp/fixtures/rpm-unsigned/
pulp-admin rpm repo sync run --repo-id foo
wget --no-check-certificate https://localhost/pulp/repos/pulp/pulp/fixtures/rpm-unsigned/bear-4.1-1.noarch.rpm
pulp-admin rpm repo delete --repo-id foo

# Get info
set -x
audit2allow -al
audit2allow -Ral || true
cat /var/log/audit/audit.log

# Reset SELinux
set +x
setenforce 1

The following is printed:

+ audit2allow -al

#============= celery_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:dir relabelto;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:file relabelto;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:lnk_file relabelto;
+ audit2allow -Ral

require {
        type celery_t;
        type httpd_sys_rw_content_t;
        class lnk_file relabelto;
        class file relabelto;
        class dir relabelto;
}

#============= celery_t ==============

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:dir relabelto;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:file relabelto;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow celery_t httpd_sys_rw_content_t:lnk_file relabelto;
+ cat /var/log/audit/audit.log

type=MAC_POLICY_LOAD msg=audit(1478278679.827:6541): policy loaded auid=0 ses=8
type=SYSCALL msg=audit(1478278679.827:6541): arch=c000003e syscall=1 success=yes exit=8447991 a0=4 a1=7f834d753000 a2=80e7f7 a3=7fff5d33a0f0 items=0 ppid=17451 pid=17452 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1478278693.893:6542): avc:  denied  { relabelto } for  pid=17425 comm="python" name="1478278692.65" dev=dm-0 ino=788189 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1478278693.893:6542): arch=c000003e syscall=189 success=yes exit=0 a0=3b87de4 a1=7f04d509147d a2=4759460 a3=2c items=0 ppid=17212 pid=17425 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=8 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1478278693.895:6543): avc:  denied  { relabelto } for  pid=17425 comm="python" name="shark-0.1-1.noarch.rpm" dev=dm-0 ino=788213 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file
type=SYSCALL msg=audit(1478278693.895:6543): arch=c000003e syscall=189 success=yes exit=0 a0=3ba8e24 a1=7f04d509147d a2=4758120 a3=2c items=0 ppid=17212 pid=17425 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=8 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)
type=AVC msg=audit(1478278693.931:6544): avc:  denied  { relabelto } for  pid=17425 comm="python" name="11642ea5192aeb4b050b08c7619b365d8982475b081388a196f0346bd4438fc9-comps.xml" dev=dm-0 ino=788234 scontext=unconfined_u:system_r:celery_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=SYSCALL msg=audit(1478278693.931:6544): arch=c000003e syscall=189 success=yes exit=0 a0=3bbed14 a1=7f04d509147d a2=4babf30 a3=2c items=0 ppid=17212 pid=17425 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=8 comm="python" exe="/usr/bin/python" subj=unconfined_u:system_r:celery_t:s0 key=(null)

This error can be produced at least with Pulp 2.10 installed. It may also occur with earlier and later versions of Pulp installed. I'll do some research and update this issue when I figure out which versions of Pulp suffer from this issue.

This issue is somewhat similar to https://pulp.plan.io/issues/2277.

Also available in: Atom PDF