Project

Profile

Help

Issue #3313

rsync distributor broken on Fedora 27 due to SELinux denials

Added by Ichimonji10 almost 4 years ago. Updated over 2 years ago.

Status:
CLOSED - WORKSFORME
Priority:
Normal
Assignee:
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:

Description

The rsync distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the rsync distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_rsync_distributor

Five of the eleven or so tests will fail, due to errors like this:

{'_href': '/pulp/api/v2/tasks/3996f1df-cf22-4156-8f8a-3dd8f26c6859/',
 '_id': {'$oid': '5a6769c62334faac0a6e2f8d'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0001',
           'data': {'message': "['rsync', '-avrK', '-f+ */', '-e', u'ssh -l "
                               'c42e1c4d-878 -i /tmp/tmp.9tuyMxN5aa -o '
                               '"StrictHostKeyChecking no" -o '
                               '"UserKnownHostsFile /dev/null"\', '
                               "u'/var/cache/pulp/reserved_resource_worker-0@fedora-27-pulp-2-15-nightly/3996f1df-cf22-4156-8f8a-3dd8f26c6859/.tmp/', "
                               "u'c42e1c4d-878@fedora-27-pulp-2-15-nightly:/home/c42e1c4d-878/']\n"
                               '/bin/sh: rsync: command not found\n'},
           'description': 'A general pulp exception occurred',
           'sub_errors': []},

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the rsync distributor tests, and lo, they succeeded. The SELinux tools provide some guidance on what went wrong:

[root@fedora-27-pulp-2-15-nightly ~]# audit2allow -al

#============= celery_t ==============

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t rsync_exec_t:file { execute execute_no_trans getattr map open read };

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t ssh_exec_t:file { execute execute_no_trans map open read };
[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log                                                                                                                                                                                
type=AVC msg=audit(1516727562.872:3915): avc:  denied  { getattr } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727562.872:3916): avc:  denied  { execute } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727562.872:3917): avc:  denied  { read } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727562.873:3918): avc:  denied  { open } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727562.873:3919): avc:  denied  { execute_no_trans } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3920): avc:  denied  { map } for  pid=5866 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727562.876:3921): avc:  denied  { execute } for  pid=5867 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727562.876:3922): avc:  denied  { read open } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727562.878:3923): avc:  denied  { execute_no_trans } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.878:3924): avc:  denied  { map } for  pid=5867 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                
type=AVC msg=audit(1516727563.319:3965): avc:  denied  { getattr } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727563.319:3966): avc:  denied  { execute } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727563.320:3967): avc:  denied  { read } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727563.320:3968): avc:  denied  { open } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727563.321:3969): avc:  denied  { execute_no_trans } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.321:3970): avc:  denied  { map } for  pid=5893 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727563.325:3971): avc:  denied  { execute } for  pid=5894 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727563.325:3972): avc:  denied  { read open } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727563.325:3973): avc:  denied  { execute_no_trans } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.339:3974): avc:  denied  { map } for  pid=5894 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4012): avc:  denied  { getattr } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4013): avc:  denied  { execute } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4014): avc:  denied  { read } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4015): avc:  denied  { open } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4016): avc:  denied  { execute_no_trans } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4017): avc:  denied  { map } for  pid=5921 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4018): avc:  denied  { execute } for  pid=5922 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4019): avc:  denied  { read open } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4020): avc:  denied  { execute_no_trans } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4021): avc:  denied  { map } for  pid=5922 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727564.044:4050): avc:  denied  { getattr } for  pid=5946 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
[snip!]

Here's the relevant packages on the F27 host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch

History

#1 Updated by dalley over 3 years ago

  • Sprint/Milestone set to 53
  • Triaged changed from No to Yes

#2 Updated by dalley over 3 years ago

  • Status changed from NEW to ASSIGNED

#3 Updated by jortel@redhat.com over 3 years ago

  • Sprint/Milestone changed from 53 to 54

#4 Updated by dalley over 3 years ago

  • Assignee set to dalley

#5 Updated by Ichimonji10 over 3 years ago

  • Platform Release set to 2.15.2

#6 Updated by Ichimonji10 over 3 years ago

  • Platform Release deleted (2.15.2)

#7 Updated by dalley over 3 years ago

  • Status changed from ASSIGNED to CLOSED - WORKSFORME

#8 Updated by bmbouter over 3 years ago

  • Sprint set to Sprint 32

#9 Updated by bmbouter over 3 years ago

  • Sprint/Milestone deleted (54)

#10 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF