Issue #2792
closed
syncing an importer has SELinux denials
Description
There are SELinux denials in the log after syncing a pulp_file importer.
To reproduce:
1. Modify the stubbed file plugin. It defines `sync`, but it is `NotImplemented`. Override the function and add a log message. https://github.com/pulp/pulp_file/blob/0518201f3e0bd6cbf85b79b87afc2f05abe69fbf/pulp_file/app/models.py#L29
2. Using the browseable web API, create a repository
3. Create an importer with (related to the repo you just made). Make sure it has something in the feed field.
4. sync the importer.
Output from journalctl:
May 31 19:16:19 dev.example.com audit[26420]: AVC avc: denied { write } for pid=26420 comm="celery" name=".s.PGSQL.5432" dev="tmpfs" ino=50235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc: denied { connectto } for pid=26420 comm="celery" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc: denied { read } for pid=26420 comm="celery" name="lib64" dev="vda1" ino=1969355 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc: denied { name_connect } for pid=26420 comm="celery" dest=5672 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket permissive=1
May 31 19:16:19 dev.example.com audit[26281]: AVC avc: denied { create } for pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
May 31 19:16:19 dev.example.com celery[25939]: [2017-05-31 19:16:19,144: WARNING/PoolWorker-1] The File Plugin's importer has synced!!
May 31 19:16:19 dev.example.com audit[26281]: AVC avc: denied { rmdir } for pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" dev="vda1" ino=263909 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
Related issues
Updated by bmbouter over 7 years ago
On Pulp2 SELinux was disabled in the Vagrant environment which is tracked as Issue #97. With Pup3's Vagrant env it sets SELinux to Enforcing currently (I think). I read this issue as basically Issue #97 only for Pulp3. Is this issue a duplicate of Issue #97 if we repurpose Issue #97 to be fixed with Pulp3?
The temporary workaround is to disable SELinux via the Ansible playbooks like we did on Pulp2. I think that is OK given its a dev environment and the work of fixing #97 in Vagrant is non-trivial at this time.
What do others think?
Updated by amacdona@redhat.com over 7 years ago
Pulp 3 SELinux is set to "Permissive" for now. It is fine with me if we want to use #97 instead, but I don't want to have 1 SELinux issue to track Pulp 3 and Pulp 2, the environments are too different.
Updated by bmbouter over 7 years ago
With our focus on Pulp3 for active development I think we should close either this or #97 as a duplicate and rewrite the open one to be Pulp3 specific. Since I know exactly what needs to be done to fix up the descriptions, should I do this?
Updated by bmbouter over 7 years ago
- Is duplicate of Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment added
.