Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #2792

closed

syncing an importer has SELinux denials

Added by amacdona@redhat.com over 7 years ago. Updated over 5 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

There are SELinux denials in the log after syncing a pulp_file importer.

To reproduce:
1. Modify the stubbed file plugin. It defines `sync`, but it is `NotImplemented`. Override the function and add a log message. https://github.com/pulp/pulp_file/blob/0518201f3e0bd6cbf85b79b87afc2f05abe69fbf/pulp_file/app/models.py#L29
2. Using the browseable web API, create a repository
3. Create an importer with (related to the repo you just made). Make sure it has something in the feed field.
4. sync the importer.

Output from journalctl:

May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { write } for  pid=26420 comm="celery" name=".s.PGSQL.5432" dev="tmpfs" ino=50235 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=sock_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { connectto } for  pid=26420 comm="celery" path="/run/postgresql/.s.PGSQL.5432" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:postgresql_t:s0 tclass=unix_stream_socket permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { read } for  pid=26420 comm="celery" name="lib64" dev="vda1" ino=1969355 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file permissive=1
May 31 19:16:19 dev.example.com audit[26420]: AVC avc:  denied  { name_connect } for  pid=26420 comm="celery" dest=5672 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket permissive=1
May 31 19:16:19 dev.example.com audit[26281]: AVC avc:  denied  { create } for  pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
May 31 19:16:19 dev.example.com celery[25939]: [2017-05-31 19:16:19,144: WARNING/PoolWorker-1] The File Plugin's importer has synced!!
May 31 19:16:19 dev.example.com audit[26281]: AVC avc:  denied  { rmdir } for  pid=26281 comm="celery" name="7858b20b-617b-4490-983d-0d97c8c65701" dev="vda1" ino=263909 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1

Related issues

Is duplicate of Pulp - Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environmentNEW

Actions
Actions
Send by e-mail Copy link

Also available in: Atom PDF