Project

Profile

Help

Issue #3314

closed

puppet install distributor broken on F27 due to SELinux denials

Added by Ichimonji10 over 6 years ago. Updated about 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.15.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:

Description

The puppet install distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the puppet install distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.puppet.api_v2.test_install_distributor.InstallDistributorTestCase

The test will fail with an error like this:

{'_href': '/pulp/api/v2/tasks/370d4a99-1b6f-4072-86e0-7394f671b509/',
 '_id': {'$oid': '5a6776e9d94ea9537829c177'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0034',
           'data': {'distributor_id': '08f262e9-b836-48fa-a507-60c46cdd4961',
                    'repo_id': '01de7a59-f33a-441f-95ce-bbbddea2b8ca',
                    'summary': 'failed to clear destination directory: [Errno '
                               "13] Permission denied: '/tmp/tmp.Zy2tX1sYDl'"},
           'description': 'The distributor '
                          '08f262e9-b836-48fa-a507-60c46cdd4961 indicated a '
                          'failed response when publishing repository '
                          '01de7a59-f33a-441f-95ce-bbbddea2b8ca.',
           'sub_errors': []},
 'exception': None,
 'finish_time': '2018-01-23T17:54:49Z',
 'id': '5a6776e9d94ea9537829c177',
 'progress_report': {},
 'queue': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly.dq',
 'result': None,
 'spawned_tasks': [],
 'start_time': '2018-01-23T17:54:49Z',
 'state': 'error',
 'tags': ['pulp:repository:01de7a59-f33a-441f-95ce-bbbddea2b8ca',
          'pulp:action:publish'],
 'task_id': '370d4a99-1b6f-4072-86e0-7394f671b509',
 'task_type': 'pulp.server.managers.repo.publish.publish',
 'traceback': 'SNIP!',
 'worker_name': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly'}

Here's the SNIPped traceback, properly formatted:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 367, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 529, in __call__
    return super(Task, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__
    return super(PulpTask, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 622, in __protected_call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1109, in publish
    result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1206, in check_publish
    result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1264, in _do_publish
    distributor_id=dist_id, summary=publish_report.summary
PulpCodedException: The distributor 08f262e9-b836-48fa-a507-60c46cdd4961 indicated a failed response when publishing repository 01de7a59-f33a-441f-95ce-bbbddea2b8ca.

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the puppet install distributor tests, and lo, they succeeded. audit2allow -al doesn't give any indication as to what went wrong, but the audit log does:

[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1516730089.254:519): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:520): avc:  denied  { getattr } for  pid=2472 comm="celery" path="/tmp/tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:521): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0

Here's the relevant packages installed on the target host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
Actions #1

Updated by Ichimonji10 over 6 years ago

  • Project changed from RPM Support to Puppet Support
Actions #2

Updated by dalley over 6 years ago

  • Sprint/Milestone set to 53
  • Triaged changed from No to Yes
Actions #3

Updated by bizhang over 6 years ago

  • Status changed from NEW to POST
  • Assignee set to bizhang
Actions #4

Updated by jortel@redhat.com over 6 years ago

  • Sprint/Milestone changed from 53 to 54

Added by werwty over 6 years ago

Revision c5373a43 | View on GitHub

Update pulp puppet selinux policies

closes #3314 https://pulp.plan.io/issues/3314

Actions #5

Updated by werwty over 6 years ago

  • Status changed from POST to MODIFIED
Actions #6

Updated by bmbouter over 6 years ago

  • Platform Release set to 2.15.2

Added by werwty over 6 years ago

Revision f4f0ac47 | View on GitHub

Update pulp puppet selinux policies

closes #3314 https://pulp.plan.io/issues/3314

(cherry picked from commit c5373a43bb1a537689dd08f03a169f13ab514133)

Actions #8

Updated by daviddavis over 6 years ago

  • Status changed from MODIFIED to 5
Actions #9

Updated by pthomas@redhat.com over 6 years ago

Automated tests pass on Fedora 27

Actions #10

Updated by bmbouter over 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #11

Updated by bmbouter over 6 years ago

  • Sprint set to Sprint 32
Actions #12

Updated by bmbouter over 6 years ago

  • Sprint/Milestone deleted (54)
Actions #13

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF