Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #3313

closed

rsync distributor broken on Fedora 27 due to SELinux denials

Added by Ichimonji10 about 6 years ago. Updated about 5 years ago.

Status:
CLOSED - WORKSFORME
Priority:
Normal
Assignee:
dalley
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:

Description

The rsync distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the rsync distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_rsync_distributor

Five of the eleven or so tests will fail, due to errors like this:

{'_href': '/pulp/api/v2/tasks/3996f1df-cf22-4156-8f8a-3dd8f26c6859/',
 '_id': {'$oid': '5a6769c62334faac0a6e2f8d'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0001',
           'data': {'message': "['rsync', '-avrK', '-f+ */', '-e', u'ssh -l "
                               'c42e1c4d-878 -i /tmp/tmp.9tuyMxN5aa -o '
                               '"StrictHostKeyChecking no" -o '
                               '"UserKnownHostsFile /dev/null"\', '
                               "u'/var/cache/pulp/reserved_resource_worker-0@fedora-27-pulp-2-15-nightly/3996f1df-cf22-4156-8f8a-3dd8f26c6859/.tmp/', "
                               "u'c42e1c4d-878@fedora-27-pulp-2-15-nightly:/home/c42e1c4d-878/']\n"
                               '/bin/sh: rsync: command not found\n'},
           'description': 'A general pulp exception occurred',
           'sub_errors': []},

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the rsync distributor tests, and lo, they succeeded. The SELinux tools provide some guidance on what went wrong:

[root@fedora-27-pulp-2-15-nightly ~]# audit2allow -al

#============= celery_t ==============

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t rsync_exec_t:file { execute execute_no_trans getattr map open read };

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t ssh_exec_t:file { execute execute_no_trans map open read };
[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log                                                                                                                                                                                
type=AVC msg=audit(1516727562.872:3915): avc:  denied  { getattr } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727562.872:3916): avc:  denied  { execute } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727562.872:3917): avc:  denied  { read } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727562.873:3918): avc:  denied  { open } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727562.873:3919): avc:  denied  { execute_no_trans } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3920): avc:  denied  { map } for  pid=5866 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727562.876:3921): avc:  denied  { execute } for  pid=5867 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727562.876:3922): avc:  denied  { read open } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727562.878:3923): avc:  denied  { execute_no_trans } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.878:3924): avc:  denied  { map } for  pid=5867 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                
type=AVC msg=audit(1516727563.319:3965): avc:  denied  { getattr } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727563.319:3966): avc:  denied  { execute } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727563.320:3967): avc:  denied  { read } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727563.320:3968): avc:  denied  { open } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727563.321:3969): avc:  denied  { execute_no_trans } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.321:3970): avc:  denied  { map } for  pid=5893 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727563.325:3971): avc:  denied  { execute } for  pid=5894 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727563.325:3972): avc:  denied  { read open } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727563.325:3973): avc:  denied  { execute_no_trans } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.339:3974): avc:  denied  { map } for  pid=5894 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4012): avc:  denied  { getattr } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4013): avc:  denied  { execute } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4014): avc:  denied  { read } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4015): avc:  denied  { open } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4016): avc:  denied  { execute_no_trans } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4017): avc:  denied  { map } for  pid=5921 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4018): avc:  denied  { execute } for  pid=5922 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4019): avc:  denied  { read open } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4020): avc:  denied  { execute_no_trans } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4021): avc:  denied  { map } for  pid=5922 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727564.044:4050): avc:  denied  { getattr } for  pid=5946 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
[snip!]

Here's the relevant packages on the F27 host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
Actions
Copy link
 #1

Updated by dalley about 6 years ago

  • Sprint/Milestone set to 53
  • Triaged changed from No to Yes
Actions
Copy link
 #2

Updated by dalley about 6 years ago

  • Status changed from NEW to ASSIGNED
Actions
Copy link
 #3

Updated by jortel@redhat.com about 6 years ago

  • Sprint/Milestone changed from 53 to 54
Actions
Copy link
 #4

Updated by dalley about 6 years ago

  • Assignee set to dalley
Actions
Copy link
 #5

Updated by Ichimonji10 about 6 years ago

  • Platform Release set to 2.15.2
Actions
Copy link
 #6

Updated by Ichimonji10 about 6 years ago

  • Platform Release deleted (2.15.2)
Actions
Copy link
 #7

Updated by dalley about 6 years ago

  • Status changed from ASSIGNED to CLOSED - WORKSFORME
Actions
Copy link
 #8

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 32
Actions
Copy link
 #9

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (54)
Actions
Copy link
 #10

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added
Actions
Send by e-mail Copy link

Also available in: Atom PDF