Issue #663: pulp-celery optional puppet SELinux policy doesn't have enough permissions for symlinks - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Issue #663

closed

pulp-celery optional puppet SELinux policy doesn't have enough permissions for symlinks

Added by dkliban@redhat.com about 9 years ago. Updated about 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

High

Assignee:

dkliban@redhat.com

Category:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Master

Platform Release:

2.6.1

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

Description of problem:

https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-celery.te#L105

On the above line, only the ability to create symlinks is provided. It's probably necessary to add 'read getattr unlink'

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

+ This bug was cloned from Bugzilla Bug #1182760 +

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by dkliban@redhat.com about 9 years ago

The steps to reproduce this are the following:

1. Download the example puppet module that contains a symlink

wget https://repos.fedorapeople.org/repos/pulp/pulp/demo_repos/puppet_symlink/examplecorp-mymodule-0.1.0.tar.gz

2. Create directory to publish to

sudo mkdir -p /etc/puppet/myforges/fakeforge
sudo chown -R apache:apache /etc/puppet/myforges

3. Create repo
pulp-admin puppet repo create --repo-id=fakeforge

4. Upload the example module

pulp-admin puppet repo uploads upload --file examplecorp-mymodule-0.1.0.tar.gz --repo-id fakeforge

5. Run the following script:

from pulp.common import pic

pic.connect()
pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}})

pic.connect()
pic.POST('/pulp/api/v2/repositories/fakeforge/actions/publish/', {'id': "puppet_tmp_install_distributor"})

6. Run the above script again.

The second time you run this script it fails cause it can't remove a symlink due to an SELinux permission problem.

+ This comment was cloned from Bugzilla #1182760 comment 1 +

Actions

Copy link

Updated by dkliban@redhat.com about 9 years ago

https://github.com/pulp/pulp/pull/1647

+ This comment was cloned from Bugzilla #1182760 comment 2 +

Actions

Copy link

Updated by dkliban@redhat.com about 9 years ago

I have also updated documentation for configuring pulp_puppet

https://github.com/pulp/pulp_puppet/pull/163/

+ This comment was cloned from Bugzilla #1182760 comment 3 +

Actions

Copy link

Updated by dkliban@redhat.com about 9 years ago

Updated the PR to be against 2.6-dev

https://github.com/pulp/pulp/pull/1648
https://github.com/pulp/pulp_puppet/pull/164/

+ This comment was cloned from Bugzilla #1182760 comment 4 +

Actions

Copy link

Updated by dkliban@redhat.com about 9 years ago

Status changed from POST to MODIFIED

Added by cduryee about 9 years ago

Revision e897130c | View on GitHub

Merge pull request #663 from beav/remove-27ism

Remove a py2.7-ism

Actions

Copy link

Updated by bmbouter about 9 years ago

Severity changed from Medium to 2. Medium

Actions

Copy link

Updated by bcourt about 9 years ago

Status changed from MODIFIED to 5

Actions

Copy link

Updated by pthomas@redhat.com about 9 years ago

verified
[root@cloud-qe-12 ~]# rpm -qa pulp-server
pulp-server-2.6.1-0.2.beta.el6.noarch
[root@cloud-qe-12 ~]#

>>> 
>>> from pulp.common import pic
>>> pic.connect()
>>> pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}}
... )
Request Body
{
  "distributor_id": "puppet_tmp_install_distributor", 
  "distributor_type_id": "puppet_install_distributor", 
  "distributor_config": {
    "install_path": "/etc/puppet/myforges/fakeforge"
  }, 
  "auto_publish": false
}
Response Body
{
  "repo_id": "fakeforge", 
  "_href": "/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/", 
  "_ns": "repo_distributors", 
  "last_publish": null, 
  "auto_publish": false, 
  "scheduled_publishes": [], 
  "distributor_type_id": "puppet_install_distributor", 
  "scratchpad": null, 
  "_id": {
    "$oid": "551c277353173a4cb6b0de05"
  }, 
  "config": {
    "install_path": "/etc/puppet/myforges/fakeforge"
  }, 
  "id": "puppet_tmp_install_distributor"
}
(201, {u'repo_id': u'fakeforge', u'_href': u'/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/', u'_ns': u'repo_distributors', u'last_publish': None, u'auto_publish': False, u'scheduled_publishes': [], u'distributor_type_id': u'puppet_install_distributor', u'scratchpad': None, u'_id': {u'$oid': u'551c277353173a4cb6b0de05'}, u'config': {u'install_path': u'/etc/puppet/myforges/fakeforge'}, u'id': u'puppet_tmp_install_distributor'})
>>> 
>>> 
>>> 
>>> pic.connect()
>>> pic.POST('/v2/repositories/fakeforge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_tmp_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/myforges/fakeforge'}})
Request Body
{
  "distributor_id": "puppet_tmp_install_distributor", 
  "distributor_type_id": "puppet_install_distributor", 
  "distributor_config": {
    "install_path": "/etc/puppet/myforges/fakeforge"
  }, 
  "auto_publish": false
}
Response Body
{
  "repo_id": "fakeforge", 
  "_href": "/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/", 
  "_ns": "repo_distributors", 
  "last_publish": null, 
  "auto_publish": false, 
  "scheduled_publishes": [], 
  "distributor_type_id": "puppet_install_distributor", 
  "scratchpad": null, 
  "_id": {
    "$oid": "551c278d53173a4cb8f778d3"
  }, 
  "config": {
    "install_path": "/etc/puppet/myforges/fakeforge"
  }, 
  "id": "puppet_tmp_install_distributor"
}
(201, {u'repo_id': u'fakeforge', u'_href': u'/pulp/api/v2/repositories/fakeforge/distributors/puppet_tmp_install_distributor/', u'_ns': u'repo_distributors', u'last_publish': None, u'auto_publish': False, u'scheduled_publishes': [], u'distributor_type_id': u'puppet_install_distributor', u'scratchpad': None, u'_id': {u'$oid': u'551c278d53173a4cb8f778d3'}, u'config': {u'install_path': u'/etc/puppet/myforges/fakeforge'}, u'id': u'puppet_tmp_install_distributor'})
>>> 
<\pre>

Actions

Copy link

#10