Issue #3313: rsync distributor broken on Fedora 27 due to SELinux denials - RPM Support - Pulp

Actions

Send by e-mail Copy link

Issue #3313

closed

rsync distributor broken on Fedora 27 due to SELinux denials

Added by Ichimonji10 over 6 years ago. Updated about 5 years ago.

Status:

CLOSED - WORKSFORME

Priority:

Normal

Assignee:

dalley

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Sprint 32

Quarter:

Description

The rsync distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the rsync distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.rpm.api_v2.test_rsync_distributor

Five of the eleven or so tests will fail, due to errors like this:

{'_href': '/pulp/api/v2/tasks/3996f1df-cf22-4156-8f8a-3dd8f26c6859/',
 '_id': {'$oid': '5a6769c62334faac0a6e2f8d'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0001',
           'data': {'message': "['rsync', '-avrK', '-f+ */', '-e', u'ssh -l "
                               'c42e1c4d-878 -i /tmp/tmp.9tuyMxN5aa -o '
                               '"StrictHostKeyChecking no" -o '
                               '"UserKnownHostsFile /dev/null"\', '
                               "u'/var/cache/pulp/reserved_resource_worker-0@fedora-27-pulp-2-15-nightly/3996f1df-cf22-4156-8f8a-3dd8f26c6859/.tmp/', "
                               "u'c42e1c4d-878@fedora-27-pulp-2-15-nightly:/home/c42e1c4d-878/']\n"
                               '/bin/sh: rsync: command not found\n'},
           'description': 'A general pulp exception occurred',
           'sub_errors': []},

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the rsync distributor tests, and lo, they succeeded. The SELinux tools provide some guidance on what went wrong:

[root@fedora-27-pulp-2-15-nightly ~]# audit2allow -al

#============= celery_t ==============

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t rsync_exec_t:file { execute execute_no_trans getattr map open read };

#!!!! This avc can be allowed using the boolean 'pulp_manage_rsync'
allow celery_t ssh_exec_t:file { execute execute_no_trans map open read };
[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log                                                                                                                                                                                
type=AVC msg=audit(1516727562.872:3915): avc:  denied  { getattr } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727562.872:3916): avc:  denied  { execute } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727562.872:3917): avc:  denied  { read } for  pid=5866 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727562.873:3918): avc:  denied  { open } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727562.873:3919): avc:  denied  { execute_no_trans } for  pid=5866 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.873:3920): avc:  denied  { map } for  pid=5866 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727562.876:3921): avc:  denied  { execute } for  pid=5867 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727562.876:3922): avc:  denied  { read open } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727562.878:3923): avc:  denied  { execute_no_trans } for  pid=5867 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727562.878:3924): avc:  denied  { map } for  pid=5867 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                
type=AVC msg=audit(1516727563.319:3965): avc:  denied  { getattr } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1         
type=AVC msg=audit(1516727563.319:3966): avc:  denied  { execute } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1                 
type=AVC msg=audit(1516727563.320:3967): avc:  denied  { read } for  pid=5893 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1             
type=AVC msg=audit(1516727563.320:3968): avc:  denied  { open } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1            
type=AVC msg=audit(1516727563.321:3969): avc:  denied  { execute_no_trans } for  pid=5893 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.321:3970): avc:  denied  { map } for  pid=5893 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1516727563.325:3971): avc:  denied  { execute } for  pid=5894 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1                   
type=AVC msg=audit(1516727563.325:3972): avc:  denied  { read open } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1        
type=AVC msg=audit(1516727563.325:3973): avc:  denied  { execute_no_trans } for  pid=5894 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.339:3974): avc:  denied  { map } for  pid=5894 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4012): avc:  denied  { getattr } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4013): avc:  denied  { execute } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4014): avc:  denied  { read } for  pid=5921 comm="sh" name="rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.719:4015): avc:  denied  { open } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4016): avc:  denied  { execute_no_trans } for  pid=5921 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.720:4017): avc:  denied  { map } for  pid=5921 comm="rsync" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4018): avc:  denied  { execute } for  pid=5922 comm="rsync" name="ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4019): avc:  denied  { read open } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4020): avc:  denied  { execute_no_trans } for  pid=5922 comm="rsync" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727563.722:4021): avc:  denied  { map } for  pid=5922 comm="ssh" path="/usr/bin/ssh" dev="dm-0" ino=386915 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1516727564.044:4050): avc:  denied  { getattr } for  pid=5946 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=433599 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=1
[snip!]

Here's the relevant packages on the F27 host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch

Actions

Send by e-mail Copy link

Also available in: Atom PDF

Project

Profile

Help

RPM Support

Agile boards

Custom queries

Issue #3313

rsync distributor broken on Fedora 27 due to SELinux denials

Updated by dalley about 6 years ago

Updated by dalley about 6 years ago

Updated by jortel@redhat.com about 6 years ago

Updated by dalley about 6 years ago

Updated by Ichimonji10 about 6 years ago

Updated by Ichimonji10 about 6 years ago

Updated by dalley about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 5 years ago