Issue #3314: puppet install distributor broken on F27 due to SELinux denials - Puppet Support - Pulp

Actions

Send by e-mail Copy link

Issue #3314

closed

puppet install distributor broken on F27 due to SELinux denials

Added by Ichimonji10 about 6 years ago. Updated about 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

bizhang

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

2.15.2

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Sprint 32

Quarter:

Description

The puppet install distributor for Pulp 2.15 nightlies is broken on Fedora 27 due to SELinux denials. The easiest way to figure this out is to run the functional tests for the puppet install distributor with Pulp Smash:

python -m unittest pulp_smash.tests.pulp2.puppet.api_v2.test_install_distributor.InstallDistributorTestCase

The test will fail with an error like this:

{'_href': '/pulp/api/v2/tasks/370d4a99-1b6f-4072-86e0-7394f671b509/',
 '_id': {'$oid': '5a6776e9d94ea9537829c177'},
 '_ns': 'task_status',
 'error': {'code': 'PLP0034',
           'data': {'distributor_id': '08f262e9-b836-48fa-a507-60c46cdd4961',
                    'repo_id': '01de7a59-f33a-441f-95ce-bbbddea2b8ca',
                    'summary': 'failed to clear destination directory: [Errno '
                               "13] Permission denied: '/tmp/tmp.Zy2tX1sYDl'"},
           'description': 'The distributor '
                          '08f262e9-b836-48fa-a507-60c46cdd4961 indicated a '
                          'failed response when publishing repository '
                          '01de7a59-f33a-441f-95ce-bbbddea2b8ca.',
           'sub_errors': []},
 'exception': None,
 'finish_time': '2018-01-23T17:54:49Z',
 'id': '5a6776e9d94ea9537829c177',
 'progress_report': {},
 'queue': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly.dq',
 'result': None,
 'spawned_tasks': [],
 'start_time': '2018-01-23T17:54:49Z',
 'state': 'error',
 'tags': ['pulp:repository:01de7a59-f33a-441f-95ce-bbbddea2b8ca',
          'pulp:action:publish'],
 'task_id': '370d4a99-1b6f-4072-86e0-7394f671b509',
 'task_type': 'pulp.server.managers.repo.publish.publish',
 'traceback': 'SNIP!',
 'worker_name': 'reserved_resource_worker-0@fedora-27-pulp-2-15-nightly'}

Here's the SNIPped traceback, properly formatted:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 367, in trace_task
    R = retval = fun(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 529, in __call__
    return super(Task, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 107, in __call__
    return super(PulpTask, self).__call__(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 622, in __protected_call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1109, in publish
    result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1206, in check_publish
    result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)
  File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1264, in _do_publish
    distributor_id=dist_id, summary=publish_report.summary
PulpCodedException: The distributor 08f262e9-b836-48fa-a507-60c46cdd4961 indicated a failed response when publishing repository 01de7a59-f33a-441f-95ce-bbbddea2b8ca.

A quick look into /var/log/audit/audit.log on the target host indicates that SELinux is the culprit. To verify, I executed the following:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R

I then re-ran the puppet install distributor tests, and lo, they succeeded. audit2allow -al doesn't give any indication as to what went wrong, but the audit log does:

[root@fedora-27-pulp-2-15-nightly ~]# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1516730089.254:519): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:520): avc:  denied  { getattr } for  pid=2472 comm="celery" path="/tmp/tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1516730094.572:521): avc:  denied  { read } for  pid=2472 comm="celery" name="tmp.Zy2tX1sYDl" dev="tmpfs" ino=51489 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0

Here's the relevant packages installed on the target host:

[root@fedora-27-pulp-2-15-nightly ~]# rpm -qa | grep pulp | sort
pulp-admin-client-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-deb-admin-extensions-1.6.0-1.fc27.noarch
pulp-deb-plugins-1.6.0-1.fc27.noarch
pulp-docker-admin-extensions-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-docker-plugins-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
pulp-ostree-admin-extensions-1.3.0-1.fc27.noarch
pulp-ostree-plugins-1.3.0-1.fc27.noarch
pulp-puppet-admin-extensions-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-plugins-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-puppet-tools-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
pulp-python-admin-extensions-2.0.2-1.fc27.noarch
pulp-python-plugins-2.0.2-1.fc27.noarch
pulp-rpm-admin-extensions-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-rpm-plugins-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
pulp-selinux-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
pulp-server-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-bindings-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-client-lib-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-common-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-deb-common-1.6.0-1.fc27.noarch
python-pulp-docker-common-3.1.1-0.2.beta.git.3.b0dfae3.git.3.b0dfae3.fc27.noarch
python-pulp-oid_validation-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-ostree-common-1.3.0-1.fc27.noarch
python-pulp-puppet-common-2.15.1-0.2.beta.git.4.b0dfae3.git.4.b0dfae3.fc27.noarch
python-pulp-python-common-2.0.2-1.fc27.noarch
python-pulp-repoauth-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch
python-pulp-rpm-common-2.15.1-0.2.beta.git.6.53ade10.git.6.53ade10.fc27.noarch
python-pulp-streamer-2.15.1-0.2.beta.git.6.b0dfae3.git.6.b0dfae3.fc27.noarch

Actions

Send by e-mail Copy link

Also available in: Atom PDF

Project

Profile

Help

Puppet Support

Agile boards

Custom queries

Issue #3314

puppet install distributor broken on F27 due to SELinux denials

Updated by Ichimonji10 about 6 years ago

Updated by dalley about 6 years ago

Updated by bizhang about 6 years ago

Updated by jortel@redhat.com about 6 years ago

Added by werwty about 6 years ago

Updated by werwty about 6 years ago

Updated by bmbouter about 6 years ago

Added by werwty about 6 years ago

Updated by werwty about 6 years ago

Updated by daviddavis about 6 years ago

Updated by pthomas@redhat.com about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 6 years ago

Updated by bmbouter about 5 years ago