Actions
Issue #3313
closedrsync distributor broken on Fedora 27 due to SELinux denials
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:
Description
The rsync distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the rsync distributor with Pulp Smash:
python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_rsync_distributor
Five of the eleven or so tests will fail, due to errors like this:
{'_href': '/pulp/api/v2/tasks/3996f1df-cf22-4156-8f8a-3dd8f26c6859/',
'_id': {'$oid': '5a6769c62334faac0a6e2f8d'},
'_ns': 'task_status',
'error': {'code': 'PLP0001',
'data': {'message': "['rsync', '-avrK', '-f+ */', '-e', u'ssh -l "
'c42e1c4d-878 -i /tmp/tmp.9tuyMxN5aa -o '
'"StrictHostKeyChecking no" -o '
'"UserKnownHostsFile /dev/null"\', '
"u'/var/cache/pulp/reserved_resource_worker-0@fedora-27-pulp-2-15-nightly/3996f1df-cf22-4156-8f8a-3dd8f26c6859/.tmp/', "
"u'c42e1c4d-878@fedora-27-pulp-2-15-nightly:/home/c42e1c4d-878/']\n"
'/bin/sh: rsync: command not found\n'},
'description': 'A general pulp exception occurred',
'sub_errors': []},
A quick look into /var/log/audit/audit.log
on the target host indicates that SELinux is the culprit. To verify, I executed the following:
setenforce 0
echo > /var/log/audit/audit.log
semodule -R
I then re-ran the rsync distributor tests, and lo, they succeeded. The SELinux tools provide some guidance on what went wrong:
[root@fedora-27-pulp-2-15-nightly ~]# audit2allow -al
#============= celery_t ==============
#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t rsync_exec_t:file { execute execute_no_trans getattr map open read };
#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t ssh_exec_t:file { execute execute_no_trans map open read };
[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1516727562.872:3915): avc: denied { getattr } for pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.872:3916): avc: denied { execute } for pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.872:3917): avc: denied { read } for pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3918): avc: denied { open } for pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3919): avc: denied { execute_no_trans } for pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3920): avc: denied { map } for pid=5866 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.876:3921): avc: denied { execute } for pid=5867 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.876:3922): avc: denied { read open } for pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.878:3923): avc: denied { execute_no_trans } for pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.878:3924): avc: denied { map } for pid=5867 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.319:3965): avc: denied { getattr } for pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.319:3966): avc: denied { execute } for pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.320:3967): avc: denied { read } for pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.320:3968): avc: denied { open } for pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.321:3969): avc: denied { execute_no_trans } for pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.321:3970): avc: denied { map } for pid=5893 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.325:3971): avc: denied { execute } for pid=5894 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.325:3972): avc: denied { read open } for pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.325:3973): avc: denied { execute_no_trans } for pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.339:3974): avc: denied { map } for pid=5894 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4012): avc: denied { getattr } for pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4013): avc: denied { execute } for pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4014): avc: denied { read } for pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4015): avc: denied { open } for pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4016): avc: denied { execute_no_trans } for pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4017): avc: denied { map } for pid=5921 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4018): avc: denied { execute } for pid=5922 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4019): avc: denied { read open } for pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4020): avc: denied { execute_no_trans } for pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4021): avc: denied { map } for pid=5922 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727564.044:4050): avc: denied { getattr } for pid=5946 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
[snip!]
Here's the relevant packages on the F27 host:
[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
Updated by dalley about 6 years ago
- Sprint/Milestone set to 53
- Triaged changed from No to Yes
Updated by jortel@redhat.com about 6 years ago
- Sprint/Milestone changed from 53 to 54
Updated by dalley about 6 years ago
- Status changed from ASSIGNED to CLOSED - WORKSFORME
Actions