Issue #1764: SELinux denial on Celery attempting to read resolv.conf

Issue #1764

On Fedora Rawhide, I see this traceback in the logs when starting pulp_resource_manager: 

 <pre> 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128) Unrecoverable error: OSError(2, 'No such file or directory') 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128) Traceback (most recent call last): 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/celery/worker/__init__.py", line 206, in start 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       self.blueprint.start(self) 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/celery/bootsteps.py", line 119, in start 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       self.on_start() 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/celery/apps/worker.py", line 158, in on_start 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       sender=self.hostname, instance=self, conf=self.app.conf, 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/celery/utils/dispatch/signal.py", line 166, in send 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       response = receiver(signal=self, sender=sender, **named) 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/pulp/server/async/app.py", line 56, in initialize_worker 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       common_utils.create_worker_working_directory(sender) 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)     File "/usr/lib/python2.7/site-packages/pulp/server/managers/repo/_common.py", line 107, in create_worker_working_directory 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128)       os.mkdir(working_dir_root) 
 Mar 09 16:43:28 boole.usersys.redhat.com pulp[4876]: celery.worker:ERROR: (4876-44128) OSError: [Errno 2] No such file or directory: '/var/cache/pulp/resource_manager@/root' 
 </pre> 

 Note that the hostname is missing after the @ symbol in the error message. It seems that we are missing an SELinux permission and are being denied read access on the resolv.conf file: 

 <pre> 
 type=AVC msg=audit(1457559807.664:2336): avc:    denied    { read } for    pid=4876 comm="celery" name="resolv.conf" dev="dm-0" ino=261406 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0 
 </pre> 

 audit2allow recommends this policy change: 

 <pre> 
 $ sudo audit2allow -al 


 #============= celery_t ============== 
 allow celery_t net_conf_t:lnk_file read; 
 </pre>
Back
Project

Profile

Help

Pulp

Issue #1764
