Issue #616
closed
2 scenarios of Permission denied when exporting repo
Description
Description of problem:
2 scenarios of Permission denied when exporting repo:
1) exporting to a non-existing repo returns Permission denied error, but creates a specified repo and completes an export
2) exporting to an existing repo returns Permission denied error, and doesn't export anything
Version-Release number of selected component (if applicable):
rpm -qa | grep pulp-server
pulp-server-2.5.0-0.18.rc.fc20.noarch
How reproducible:
always
Steps to Reproduce:
pulp-admin rpm repo list
--------------------------------------------------------------------
RPM Repositories
--------------------------------------------------------------------
Id: gena
Display Name: gena
Description: None
Content Unit Counts:
Rpm: 2
ls -l | grep tmp
drwxrwxrwt. 8 apache apache 4096 Nov 13 13:27 tmp
ls -l /tmp
total 4
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87
pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/blabla
--------------------------------------------------------------------
Publishing Repository [gena]
--------------------------------------------------------------------
The following publish configuration options will be used:
Export Dir: /tmp/blabla
This command may be exited via ctrl+c without affecting the request.
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
2 of 2 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[-]
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Copying files
[-]
... failed
[(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata',
u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied:
'/tmp/blabla/gena/repodata'"),
(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor',
u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")]
Task Failed
[(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata',
u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied:
'/tmp/blabla/gena/repodata'"),
(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor',
u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")]
ls -l /tmp
total 8
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87
ls -l /tmp/blabla/
total 4
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 gena
And now we export it to the existing directory:
mkdir /tmp/gena_export
chown apache:apache /tmp/gena_export/
ls -l /tmp
total 12
drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla
drwxr-xr-x. 2 apache apache 4096 Nov 13 13:30 gena_export
srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock
drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87
pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/gena_export
--------------------------------------------------------------------
Publishing Repository [gena]
--------------------------------------------------------------------
The following publish configuration options will be used:
Export Dir: /tmp/gena_export
This command may be exited via ctrl+c without affecting the request.
Initializing repo metadata
[-]
... completed
Publishing Distribution files
[-]
... completed
Publishing RPMs
[==================================================] 100%
2 of 2 items
... completed
Publishing Delta RPMs
... skipped
Publishing Errata
[-]
... completed
Publishing Comps file
[-]
... completed
Publishing Metadata.
[-]
... completed
Closing repo metadata
[-]
... completed
Generating sqlite files
... skipped
Copying files
[-]
... failed
[Errno 13] Permission denied: '/tmp/gena_export/gena'
Task Failed
[Errno 13] Permission denied: '/tmp/gena_export/gena'
And ta-dam! It's empty!
ls -l /tmp/gena_export/
total 0
+ This bug was cloned from Bugzilla Bug #1163810 +
Files
Updated by mhrivnak almost 10 years ago
Could this have been caused by selinux?
+ This comment was cloned from Bugzilla #1163810 comment 1 +
Updated by igulina@redhat.com almost 10 years ago
Right, it happens with Enforcing selinux, in Permissive mode evrth is ok.
+ This comment was cloned from Bugzilla #1163810 comment 2 +
Updated by igulina@redhat.com almost 10 years ago
stacktrace
less /var/log/audit/audit.log | grep avc
ype=AVC msg=audit(1416375562.269:321086): avc: denied { setattr } for pid=15885 comm="celery" name="repodata" dev="xvda1" ino=626175 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(1416375562.278:321087): avc: denied { setattr } for pid=15885 comm="celery" name="zoo" dev="xvda1" ino=626166 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=USER_AVC msg=audit(1416375686.738:321091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1416375707.544:321117): avc: denied { setattr } for pid=20675 comm="celery" name="repodata" dev="xvda1" ino=626031 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
+ This comment was cloned from Bugzilla #1163810 comment 3 +
Updated by bmbouter almost 10 years ago
- Severity changed from Medium to 2. Medium
Updated by Ichimonji10 almost 9 years ago
This issue also affects me. I can create a directory like this:
file=$(mktemp --directory)
setfacl -m user:apache:rwx "$file"
setfacl -m default:apache:rwx "$file"
Or like this:
file=$(sudo --user apache mktemp --directory)
Or like this:
file=$(mktemp --directory)
chown 777 "$file"
After creating the directory, I can use it in manual testing:
sudo -u apache touch "${file}/foo"
sudo -u apache mkdir "${file}/bar"
sudo -u apache touch "${file}/bar/biz"
sudo -u apache python -c 'import os; os.makedirs("/tmp/…/abc/123")'
However, when I attempt to publish a repository into this directory using an
"export" distributor, Pulp fails with a "permission denied" error. The error
names "/tmp/${file}/foo" as the culprit.
Updated by Ichimonji10 almost 9 years ago
We now have a test targeting this issue. See:
Updated by bmbouter almost 6 years ago
- Status changed from NEW to CLOSED - WONTFIX
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.