Actions
Issue #3211
closed
Pulp 2.15 beta 3 on F27 due to SELinux denials
Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
Pulp 2.15 beta 3 is broken on Fedora 27 due to SELinux denials. Here's the services that fail:
[root@fedora-27-pulp-2-15-beta ~]# systemctl --state failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● pulp_resource_manager.service loaded failed failed Pulp Resource Manager
● pulp_worker-0.service loaded failed failed Pulp Worker #0
● qpidd.service loaded failed failed An AMQP message broker daemon.
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
3 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
To positively show that the error is reproductible, I executed the following on a host:
setenforce 0
echo > /var/log/audit/audit.log
semodule -R
systemctl restart httpd pulp_{celerybeat,resource_manager,workers} qpidd
...and then executed the test for #2788: python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_republish.RemoveOldRepodataTestCase. Here's some results:
[root@fedora-27-pulp-2-15-beta ~]# audit2allow -al
#============= celery_t ==============
allow celery_t cgroup_t:filesystem getattr;
allow celery_t debugfs_t:filesystem getattr;
allow celery_t default_context_t:file { getattr open read };
allow celery_t device_t:filesystem getattr;
allow celery_t devpts_t:filesystem getattr;
allow celery_t hugetlbfs_t:filesystem getattr;
allow celery_t pstore_t:filesystem getattr;
allow celery_t tmpfs_t:file map;
#============= qpidd_t ==============
allow qpidd_t qpidd_var_lib_t:file map;
[root@fedora-27-pulp-2-15-beta ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-27-pulp-2-15-beta ~]# cat /var/log/audit/audit.log
type=SERVICE_STOP msg=audit(1513619193.677:2507): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AVC msg=audit(1513619196.330:2508): pid=669 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=15) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1513619196.337:2509): policy loaded auid=0 ses=7
type=USER_AVC msg=audit(1513619198.326:2510): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=15) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1513619198.400:2511): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qpidd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619198.402:2512): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=qpidd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1513619198.463:2513): avc: denied { map } for pid=5803 comm="qpidd" path="/var/lib/qpidd/.qpidd/qls/dat2/__db.001" dev="dm-0" ino=9201513 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_var_lib_t:s0 tclass=file permissive=1
type=SERVICE_STOP msg=audit(1513619200.087:2514): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_worker-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1513619200.093:2515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_workers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1513619200.111:2516): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1513619200.169:2517): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_resource_manager comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619200.170:2518): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_resource_manager comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619200.178:2519): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_worker-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619200.185:2520): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_workers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619200.242:2521): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1513619201.374:2522): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_celerybeat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1513619201.377:2523): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_celerybeat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1513619218.922:2524): avc: denied { map } for pid=5824 comm="celery" path="/dev/shm/V3M49w" dev="tmpfs" ino=135598 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=USER_START msg=audit(1513619230.040:2525): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1513619230.041:2526): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:21:77:4b:9c:02:0f:3f:38:fa:b7:1f:b1:3d:1d:d8:ed:1d:3f:8b:e5:00:aa:52:a2:44:78:62:7f:e7:5b:f7:ae direction=? spid=6401 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1513619236.256:2527): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="devtmpfs" ino=3 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.256:2528): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="devpts" ino=1 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.256:2529): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.256:2530): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="pstore" ino=11212 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.257:2531): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="hugetlbfs" ino=17837 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.257:2532): avc: denied { getattr } for pid=6252 comm="celery" name="/" dev="debugfs" ino=1 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1513619236.260:2533): avc: denied { read } for pid=6252 comm="celery" name="customizable_types" dev="dm-0" ino=374187 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513619236.260:2534): avc: denied { open } for pid=6252 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=374187 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=AVC msg=audit(1513619236.260:2535): avc: denied { getattr } for pid=6252 comm="celery" path="/etc/selinux/targeted/contexts/customizable_types" dev="dm-0" ino=374187 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=file permissive=1
type=USER_START msg=audit(1513619241.186:2536): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1513619241.187:2537): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:21:77:4b:9c:02:0f:3f:38:fa:b7:1f:b1:3d:1d:d8:ed:1d:3f:8b:e5:00:aa:52:a2:44:78:62:7f:e7:5b:f7:ae direction=? spid=6443 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1513619241.207:2538): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1513619241.229:2539): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1513619241.230:2540): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:21:77:4b:9c:02:0f:3f:38:fa:b7:1f:b1:3d:1d:d8:ed:1d:3f:8b:e5:00:aa:52:a2:44:78:62:7f:e7:5b:f7:ae direction=? spid=6457 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1513619241.246:2541): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1513619247.219:2542): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1513619247.219:2543): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:21:77:4b:9c:02:0f:3f:38:fa:b7:1f:b1:3d:1d:d8:ed:1d:3f:8b:e5:00:aa:52:a2:44:78:62:7f:e7:5b:f7:ae direction=? spid=6487 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1513619247.228:2544): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_START msg=audit(1513619247.240:2545): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1513619247.240:2546): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:21:77:4b:9c:02:0f:3f:38:fa:b7:1f:b1:3d:1d:d8:ed:1d:3f:8b:e5:00:aa:52:a2:44:78:62:7f:e7:5b:f7:ae direction=? spid=6501 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1513619247.248:2547): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
type=USER_END msg=audit(1513619253.505:2548): pid=2678 uid=0 auid=0 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.101.1 addr=192.168.101.1 terminal=ssh res=success'
Here's the packages on an affected host:
[root@fedora-27-pulp-2-15-beta ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.0-0.2.beta.fc27.noarch
pulp-deb-admin-extensions-1.6.0-0.2.beta.fc27.noarch
pulp-deb-plugins-1.6.0-0.2.beta.fc27.noarch
pulp-docker-admin-extensions-3.1.0-0.3.beta.fc27.noarch
pulp-docker-plugins-3.1.0-0.3.beta.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-plugins-2.15.0-0.2.beta.fc27.noarch
pulp-puppet-tools-2.15.0-0.2.beta.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.0-0.3.beta.fc27.noarch
pulp-rpm-plugins-2.15.0-0.3.beta.fc27.noarch
pulp-selinux-2.15.0-0.2.beta.fc27.noarch
pulp-server-2.15.0-0.2.beta.fc27.noarch
python-pulp-bindings-2.15.0-0.2.beta.fc27.noarch
python-pulp-client-lib-2.15.0-0.2.beta.fc27.noarch
python-pulp-common-2.15.0-0.2.beta.fc27.noarch
python-pulp-deb-common-1.6.0-0.2.beta.fc27.noarch
python-pulp-docker-common-3.1.0-0.3.beta.fc27.noarch
python-pulp-oid_validation-2.15.0-0.2.beta.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.0-0.2.beta.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.0-0.2.beta.fc27.noarch
python-pulp-rpm-common-2.15.0-0.3.beta.fc27.noarch
python-pulp-streamer-2.15.0-0.2.beta.fc27.noarch
[root@fedora-27-pulp-2-15-beta ~]# rpm -qa | grep qpid | sort
python-gofer-qpid-2.11.0-2.fc27.noarch
python-qpid-1.36.0-2.fc27.noarch
python-qpid-qmf-1.36.0-8.fc27.x86_64
qpid-cpp-client-1.36.0-8.fc27.x86_64
qpid-cpp-server-1.36.0-8.fc27.x86_64
qpid-cpp-server-linearstore-1.36.0-8.fc27.x86_64
qpid-proton-c-0.18.1-1.fc27.x86_64
qpid-qmf-1.36.0-8.fc27.x86_64
qpid-tools-1.36.0-8.fc27.noarch
Updated by Ichimonji10 over 6 years ago
- Status changed from NEW to CLOSED - DUPLICATE
Duplicate of #3159.
There was a packaging mishap, and the SELinux fixes weren't rolled into Pulp 2.15 beta 3 as they should have been. The next ieration of beta 3 should include the relevant fixes.
Actions
.