Project

Profile

Help

Issue #616

closed

2 scenarios of Permission denied when exporting repo

Added by igulina@redhat.com about 9 years ago. Updated almost 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.5
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

Description of problem:
2 scenarios of Permission denied when exporting repo:

1) exporting to a non-existing repo returns Permission denied error, but creates a specified repo and completes an export
2) exporting to an existing repo returns Permission denied error, and doesn't export anything

Version-Release number of selected component (if applicable):

rpm -qa | grep pulp-server

pulp-server-2.5.0-0.18.rc.fc20.noarch

How reproducible:
always

Steps to Reproduce:

pulp-admin rpm repo list

--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------

Id: gena
Display Name: gena
Description: None
Content Unit Counts:
Rpm: 2

ls -l | grep tmp

drwxrwxrwt. 8 apache apache 4096 Nov 13 13:27 tmp

ls -l /tmp

total 4
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87

pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/blabla

--------------------------------------------------------------------
Publishing Repository [gena]
--------------------------------------------------------------------

The following publish configuration options will be used:

Export Dir: /tmp/blabla

This command may be exited via ctrl+c without affecting the request.

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
2 of 2 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[-]
... completed

Publishing Comps file
[-]
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Copying files
[-]
... failed
[(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata',
u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied:
'/tmp/blabla/gena/repodata'"),
(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor',
u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")]

Task Failed

[(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata',
u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied:
'/tmp/blabla/gena/repodata'"),
(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor',
u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")]

ls -l /tmp

total 8
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87

ls -l /tmp/blabla/

total 4
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 gena

And now we export it to the existing directory:

mkdir /tmp/gena_export
chown apache:apache /tmp/gena_export/
ls -l /tmp

total 12
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla
drwxr-xr-x. 2 apache apache 4096 Nov 13 13:30 gena_export
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87

pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/gena_export

--------------------------------------------------------------------
Publishing Repository [gena]
--------------------------------------------------------------------

The following publish configuration options will be used:

Export Dir: /tmp/gena_export

This command may be exited via ctrl+c without affecting the request.

Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
2 of 2 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[-]
... completed

Publishing Comps file
[-]
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Copying files
[-]
... failed
[Errno 13] Permission denied: '/tmp/gena_export/gena'

Task Failed

[Errno 13] Permission denied: '/tmp/gena_export/gena'

And ta-dam! It's empty!

ls -l /tmp/gena_export/

total 0

+ This bug was cloned from Bugzilla Bug #1163810 +


Files

7667cbd5d748c4829443218302a93055 (9.71 KB) 7667cbd5d748c4829443218302a93055 igulina@redhat.com, 02/28/2015 11:44 PM
Actions #1

Updated by mhrivnak about 9 years ago

Could this have been caused by selinux?

+ This comment was cloned from Bugzilla #1163810 comment 1 +

Actions #2

Updated by igulina@redhat.com about 9 years ago

Right, it happens with Enforcing selinux, in Permissive mode evrth is ok.

+ This comment was cloned from Bugzilla #1163810 comment 2 +

Actions #3

Updated by igulina@redhat.com about 9 years ago

stacktrace

less /var/log/audit/audit.log | grep avc

ype=AVC msg=audit(1416375562.269:321086): avc: denied { setattr } for pid=15885 comm="celery" name="repodata" dev="xvda1" ino=626175 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1416375562.278:321087): avc: denied { setattr } for pid=15885 comm="celery" name="zoo" dev="xvda1" ino=626166 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=USER_AVC msg=audit(1416375686.738:321091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1416375707.544:321117): avc: denied { setattr } for pid=20675 comm="celery" name="repodata" dev="xvda1" ino=626031 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir

+ This comment was cloned from Bugzilla #1163810 comment 3 +

Actions #4

Updated by bcourt about 9 years ago

  • Project changed from Pulp to RPM Support
Actions #5

Updated by bmbouter about 9 years ago

  • Severity changed from Medium to 2. Medium
Actions #6

Updated by Ichimonji10 almost 8 years ago

This issue also affects me. I can create a directory like this:

file=$(mktemp --directory)
setfacl -m user:apache:rwx "$file"
setfacl -m default:apache:rwx "$file"

Or like this:

file=$(sudo --user apache mktemp --directory)

Or like this:

file=$(mktemp --directory)
chown 777 "$file"

After creating the directory, I can use it in manual testing:

sudo -u apache touch "${file}/foo"
sudo -u apache mkdir "${file}/bar"
sudo -u apache touch "${file}/bar/biz"
sudo -u apache python -c 'import os; os.makedirs("/tmp/…/abc/123")'

However, when I attempt to publish a repository into this directory using an
"export" distributor, Pulp fails with a "permission denied" error. The error
names "/tmp/${file}/foo" as the culprit.

Actions #8

Updated by bmbouter almost 8 years ago

  • Parent issue set to #1826
Actions #9

Updated by bmbouter almost 8 years ago

  • Tags SELinux added
Actions #10

Updated by bmbouter almost 8 years ago

  • Parent issue deleted (#1826)
Actions #11

Updated by bmbouter almost 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #12

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF