Issue #663
closedpulp-celery optional puppet SELinux policy doesn't have enough permissions for symlinks
Description
Description of problem:
https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-celery.te#L105
On the above line, only the ability to create symlinks is provided. It's probably necessary to add 'read getattr unlink'
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
+ This bug was cloned from Bugzilla Bug #1182760 +
Updated by dkliban@redhat.com almost 10 years ago
The steps to reproduce this are the following:
1. Download the example puppet module that contains a symlink
2. Create directory to publish to
sudo mkdir -p /etc/puppet/myforges/fakeforge
sudo chown -R apache:apache /etc/puppet/myforges
3. Create repo
pulp-admin puppet repo create --repo-id=fakeforge
4. Upload the example module
pulp-admin puppet repo uploads upload --file examplecorp-mymodule-0.1.0.tar.gz --repo-id fakeforge
5. Run the following script:
from pulp.common import pic
pic.connect()
pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}})
pic.connect()
pic.POST('/pulp/api/v2/repositories/fakeforge/actions/publish/', {'id': "puppet_tmp_install_distributor"})
6. Run the above script again.
The second time you run this script it fails cause it can't remove a symlink due to an SELinux permission problem.
+ This comment was cloned from Bugzilla #1182760 comment 1 +
Updated by dkliban@redhat.com almost 10 years ago
https://github.com/pulp/pulp/pull/1647
+ This comment was cloned from Bugzilla #1182760 comment 2 +
Updated by dkliban@redhat.com almost 10 years ago
I have also updated documentation for configuring pulp_puppet
https://github.com/pulp/pulp_puppet/pull/163/
+ This comment was cloned from Bugzilla #1182760 comment 3 +
Updated by dkliban@redhat.com almost 10 years ago
Updated the PR to be against 2.6-dev
https://github.com/pulp/pulp/pull/1648
https://github.com/pulp/pulp_puppet/pull/164/
+ This comment was cloned from Bugzilla #1182760 comment 4 +
Updated by dkliban@redhat.com almost 10 years ago
- Status changed from POST to MODIFIED
Added by cduryee almost 10 years ago
Updated by bmbouter almost 10 years ago
- Severity changed from Medium to 2. Medium
Updated by pthomas@redhat.com over 9 years ago
verified
[root@cloud-qe-12 ~]# rpm -qa pulp-server
pulp-server-2.6.1-0.2.beta.el6.noarch
[root@cloud-qe-12 ~]#
>>>
>>> from pulp.common import pic
>>> pic.connect()
>>> pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}}
... )
Request Body
{
"distributor_id": "puppet_tmp_install_distributor",
"distributor_type_id": "puppet_install_distributor",
"distributor_config": {
"install_path": "/etc/puppet/myforges/fakeforge"
},
"auto_publish": false
}
Response Body
{
"repo_id": "fakeforge",
"_href": "/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/",
"_ns": "repo_distributors",
"last_publish": null,
"auto_publish": false,
"scheduled_publishes": [],
"distributor_type_id": "puppet_install_distributor",
"scratchpad": null,
"_id": {
"$oid": "551c277353173a4cb6b0de05"
},
"config": {
"install_path": "/etc/puppet/myforges/fakeforge"
},
"id": "puppet_tmp_install_distributor"
}
(201, {u'repo_id': u'fakeforge', u'_href': u'/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/', u'_ns': u'repo_distributors', u'last_publish': None, u'auto_publish': False, u'scheduled_publishes': [], u'distributor_type_id': u'puppet_install_distributor', u'scratchpad': None, u'_id': {u'$oid': u'551c277353173a4cb6b0de05'}, u'config': {u'install_path': u'/etc/puppet/myforges/fakeforge'}, u'id': u'puppet_tmp_install_distributor'})
>>>
>>>
>>>
>>> pic.connect()
>>> pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}})
Request Body
{
"distributor_id": "puppet_tmp_install_distributor",
"distributor_type_id": "puppet_install_distributor",
"distributor_config": {
"install_path": "/etc/puppet/myforges/fakeforge"
},
"auto_publish": false
}
Response Body
{
"repo_id": "fakeforge",
"_href": "/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/",
"_ns": "repo_distributors",
"last_publish": null,
"auto_publish": false,
"scheduled_publishes": [],
"distributor_type_id": "puppet_install_distributor",
"scratchpad": null,
"_id": {
"$oid": "551c278d53173a4cb8f778d3"
},
"config": {
"install_path": "/etc/puppet/myforges/fakeforge"
},
"id": "puppet_tmp_install_distributor"
}
(201, {u'repo_id': u'fakeforge', u'_href': u'/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/', u'_ns': u'repo_distributors', u'last_publish': None, u'auto_publish': False, u'scheduled_publishes': [], u'distributor_type_id': u'puppet_install_distributor', u'scratchpad': None, u'_id': {u'$oid': u'551c278d53173a4cb8f778d3'}, u'config': {u'install_path': u'/etc/puppet/myforges/fakeforge'}, u'id': u'puppet_tmp_install_distributor'})
>>>
<\pre>
Updated by dkliban@redhat.com over 9 years ago
- Status changed from 6 to CLOSED - CURRENTRELEASE
Merge pull request #663 from beav/remove-27ism
Remove a py2.7-ism