Project

Profile

Help

Issue #2792

closed

syncing an importer has SELinux denials

Added by amacdona@redhat.com almost 7 years ago. Updated about 5 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

There are SELinux denials in the log after syncing a pulp_file importer.

To reproduce:
1. Modify the stubbed file plugin. It defines `sync`, but it is `NotImplemented`. Override the function and add a log message. https://github.com/pulp/pulp_file/blob/0518201f3e0bd6cbf85b79b87afc2f05abe69fbf/pulp_file/app/models.py#L29
2. Using the browseable web API, create a repository
3. Create an importer with (related to the repo you just made). Make sure it has something in the feed field.
4. sync the importer.

Output from journalctl:

May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { write } for  pid=26420 comm="celery" name=".s.PGSQL.5432" dev="tmpfs" ino=50235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { connectto } for  pid=26420 comm="celery" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { read } for  pid=26420 comm="celery" name="lib64" dev="vda1" ino=1969355 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { name_connect } for  pid=26420 comm="celery" dest=5672 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket permissive=1
May 31 19:16:19 dev.example.com audit[26281]: AVC avc:  denied  { create } for  pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
May 31 19:16:19 dev.example.com celery[25939]: [2017-05-31 19:16:19,144: WARNING/PoolWorker-1] The File Plugin's importer has synced!!
May 31 19:16:19 dev.example.com audit[26281]: AVC avc:  denied  { rmdir } for  pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" dev="vda1" ino=263909 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1

Related issues

Is duplicate of Pulp - Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environmentNEW

Actions
Actions #1

Updated by bmbouter almost 7 years ago

On Pulp2 SELinux was disabled in the Vagrant environment which is tracked as Issue #97. With Pup3's Vagrant env it sets SELinux to Enforcing currently (I think). I read this issue as basically Issue #97 only for Pulp3. Is this issue a duplicate of Issue #97 if we repurpose Issue #97 to be fixed with Pulp3?

The temporary workaround is to disable SELinux via the Ansible playbooks like we did on Pulp2. I think that is OK given its a dev environment and the work of fixing #97 in Vagrant is non-trivial at this time.

What do others think?

Actions #2

Updated by amacdona@redhat.com almost 7 years ago

Pulp 3 SELinux is set to "Permissive" for now. It is fine with me if we want to use #97 instead, but I don't want to have 1 SELinux issue to track Pulp 3 and Pulp 2, the environments are too different.

Actions #3

Updated by bmbouter almost 7 years ago

With our focus on Pulp3 for active development I think we should close either this or #97 as a duplicate and rewrite the open one to be Pulp3 specific. Since I know exactly what needs to be done to fix up the descriptions, should I do this?

Actions #4

Updated by bmbouter almost 7 years ago

  • Status changed from NEW to CLOSED - DUPLICATE

Per IRC confirmation, I'm closing this one as a duplicate of Issue #97 and will then update #97 to be for Pulp3 only.

Actions #5

Updated by bmbouter almost 7 years ago

  • Is duplicate of Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment added
Actions #6

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF