Actions
Issue #3314
closed
puppet install distributor broken on F27 due to SELinux denials
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.15.2
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 32
Quarter:
Description
The puppet install distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the puppet install distributor with Pulp Smash:
python -m unittest pulp_smash.tests.pulp2.puppet.api_v2.test_install_distributor.InstallDistributorTestCase
The test will fail with an error like this:
{'_href': '/pulp/api/v2/tasks/370d4a99-1b6f-4072-86e0-7394f671b509/',
'_id': {'$oid': '5a6776e9d94ea9537829c177'},
'_ns': 'task_status',
'error': {'code': 'PLP0034',
'data': {'distributor_id': '08f262e9-b836-48fa-a507-60c46cdd4961',
'repo_id': '01de7a59-f33a-441f-95ce-bbbddea2b8ca',
'summary': 'failed to clear destination directory: [Errno '
"13] Permission denied: '/tmp/tmp.Zy2tX1sYDl'"},
'description': 'The distributor '
'08f262e9-b836-48fa-a507-60c46cdd4961 indicated a '
'failed response when publishing repository '
'01de7a59-f33a-441f-95ce-bbbddea2b8ca.',
'sub_errors': []},
'exception': None,
'finish_time': '2018-01-23T17:54:49Z',
'id': '5a6776e9d94ea9537829c177',
'progress_report': {},
'queue': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly.dq',
'result': None,
'spawned_tasks': [],
'start_time': '2018-01-23T17:54:49Z',
'state': 'error',
'tags': ['pulp:repository:01de7a59-f33a-441f-95ce-bbbddea2b8ca',
'pulp:action:publish'],
'task_id': '370d4a99-1b6f-4072-86e0-7394f671b509',
'task_type': 'pulp.server.managers.repo.publish.publish',
'traceback': 'SNIP!',
'worker_name': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly'}
Here's the SNIPped traceback, properly formatted:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 367, in trace_task
R = retval = fun(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 529, in __call__
return super(Task, self).__call__(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__
return super(PulpTask, self).__call__(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 622, in __protected_call__
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1109, in publish
result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1206, in check_publish
result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1264, in _do_publish
distributor_id=dist_id, summary=publish_report.summary
PulpCodedException: The distributor 08f262e9-b836-48fa-a507-60c46cdd4961 indicated a failed response when publishing repository 01de7a59-f33a-441f-95ce-bbbddea2b8ca.
A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:
setenforce 0
echo > /var/log/audit/audit.log
semodule -R
I then re-ran the puppet install distributor tests, and lo, they succeeded. audit2allow -al doesn't give any indication as to what went wrong, but the audit log does:
[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1516730089.254:519): avc: denied { read } for pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:520): avc: denied { getattr } for pid=2472 comm="celery" path="/tmp/tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:521): avc: denied { read } for pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
Here's the relevant packages installed on the target host:
[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
Updated by Ichimonji10 almost 7 years ago
- Project changed from RPM Support to Puppet Support
Updated by dalley almost 7 years ago
- Sprint/Milestone set to 53
- Triaged changed from No to Yes
Updated by bizhang almost 7 years ago
- Status changed from NEW to POST
- Assignee set to bizhang
Updated by jortel@redhat.com almost 7 years ago
- Sprint/Milestone changed from 53 to 54
Added by werwty almost 7 years ago
Updated by werwty almost 7 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulp:pulp|c5373a43bb1a537689dd08f03a169f13ab514133.
Added by werwty almost 7 years ago
Revision f4f0ac47 | View on GitHub
Update pulp puppet selinux policies
closes #3314 https://pulp.plan.io/issues/3314
(cherry picked from commit c5373a43bb1a537689dd08f03a169f13ab514133)
Updated by werwty almost 7 years ago
Applied in changeset pulp:pulp|f4f0ac479a7d636c74faa4d059b1b4722ce12ba6.
Updated by bmbouter almost 7 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Actions
.
Update pulp puppet selinux policies
closes #3314 https://pulp.plan.io/issues/3314