Project

Profile

Help

Issue #3314

puppet install distributor broken on F27 due to SELinux denials

Added by Ichimonji10 about 4 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.15.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:

Description

The puppet install distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the puppet install distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.puppet.api_v2.test_install_distributor.InstallDistributorTestCase

The test will fail with an error like this:

{'_href': '/pulp/api/v2/tasks/370d4a99-1b6f-4072-86e0-7394f671b509/',
 '_id': {'$oid': '5a6776e9d94ea9537829c177'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0034',
           'data': {'distributor_id': '08f262e9-b836-48fa-a507-60c46cdd4961',
                    'repo_id': '01de7a59-f33a-441f-95ce-bbbddea2b8ca',
                    'summary': 'failed to clear destination directory: [Errno '
                               "13] Permission denied: '/tmp/tmp.Zy2tX1sYDl'"},
           'description': 'The distributor '
                          '08f262e9-b836-48fa-a507-60c46cdd4961 indicated a '
                          'failed response when publishing repository '
                          '01de7a59-f33a-441f-95ce-bbbddea2b8ca.',
           'sub_errors': []},
 'exception': None,
 'finish_time': '2018-01-23T17:54:49Z',
 'id': '5a6776e9d94ea9537829c177',
 'progress_report': {},
 'queue': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly.dq',
 'result': None,
 'spawned_tasks': [],
 'start_time': '2018-01-23T17:54:49Z',
 'state': 'error',
 'tags': ['pulp:repository:01de7a59-f33a-441f-95ce-bbbddea2b8ca',
          'pulp:action:publish'],
 'task_id': '370d4a99-1b6f-4072-86e0-7394f671b509',
 'task_type': 'pulp.server.managers.repo.publish.publish',
 'traceback': 'SNIP!',
 'worker_name': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly'}

Here's the SNIPped traceback, properly formatted:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 367, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 529, in __call__
    return super(Task, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__
    return super(PulpTask, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 622, in __protected_call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1109, in publish
    result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1206, in check_publish
    result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1264, in _do_publish
    distributor_id=dist_id, summary=publish_report.summary
PulpCodedException: The distributor 08f262e9-b836-48fa-a507-60c46cdd4961 indicated a failed response when publishing repository 01de7a59-f33a-441f-95ce-bbbddea2b8ca.

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the puppet install distributor tests, and lo, they succeeded. audit2allow -al doesn't give any indication as to what went wrong, but the audit log does:

[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1516730089.254:519): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:520): avc:  denied  { getattr } for  pid=2472 comm="celery" path="/tmp/tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:521): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0

Here's the relevant packages installed on the target host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch

Associated revisions

Revision c5373a43 View on GitHub
Added by werwty almost 4 years ago

Update pulp puppet selinux policies

closes #3314 https://pulp.plan.io/issues/3314

Revision f4f0ac47 View on GitHub
Added by werwty almost 4 years ago

Update pulp puppet selinux policies

closes #3314 https://pulp.plan.io/issues/3314

(cherry picked from commit c5373a43bb1a537689dd08f03a169f13ab514133)

History

#1 Updated by Ichimonji10 about 4 years ago

  • Project changed from RPM Support to Puppet Support

#2 Updated by dalley about 4 years ago

  • Sprint/Milestone set to 53
  • Triaged changed from No to Yes

#3 Updated by bizhang almost 4 years ago

  • Status changed from NEW to POST
  • Assignee set to bizhang

#4 Updated by jortel@redhat.com almost 4 years ago

  • Sprint/Milestone changed from 53 to 54

#5 Updated by werwty almost 4 years ago

  • Status changed from POST to MODIFIED

#6 Updated by bmbouter almost 4 years ago

  • Platform Release set to 2.15.2

#8 Updated by daviddavis almost 4 years ago

  • Status changed from MODIFIED to 5

#9 Updated by pthomas@redhat.com almost 4 years ago

Automated tests pass on Fedora 27

#10 Updated by bmbouter almost 4 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#11 Updated by bmbouter almost 4 years ago

  • Sprint set to Sprint 32

#12 Updated by bmbouter almost 4 years ago

  • Sprint/Milestone deleted (54)

#13 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF