Bug 1211305
Summary: | sync of imported repositories fails with permission denied | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Tomas Lestach <tlestach> |
Component: | Docs Transition Guide | Assignee: | David O'Brien <daobrien> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Brian Bouterse <bmbouter> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | Nightly | CC: | bbuckingham, lpramuk, mhrivnak, mmccune, rdickens |
Target Milestone: | Unspecified | Keywords: | Regression, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-09-03 00:10:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Lestach
2015-04-13 14:48:58 UTC
I was asked to run the part with 'semodule -DB' So, permissive mode logs into /var/log/audit/audit.log: type=AVC msg=audit(1433767462.332:1210): avc: denied { open } for pid=11242 comm="celery" path="/tmp/exports/CHANNELS/1/109/repodata/repomd.xml" dev="dm-1" ino=204070166 scontext=system_u:system_r:celery_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1433767462.332:1210): arch=c000003e syscall=2 success=yes exit=17 a0=3c1ac10 a1=0 a2=1b6 a3=2 items=0 ppid=11005 pid=11242 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null) Not sure, if this is relevant, but, when I delete the relevant local repository and product, I'm getting: type=AVC msg=audit(1433768953.225:1234): avc: denied { read } for pid=21646 comm="id" name="mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=AVC msg=audit(1433768953.225:1234): avc: denied { open } for pid=21646 comm="id" path="/sys/fs/selinux/mls" dev="selinuxfs" ino=12 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file type=SYSCALL msg=audit(1433768953.225:1234): arch=c000003e syscall=2 success=yes exit=4 a0=7fff4af61400 a1=0 a2=7fff4af61413 a3=7fff4af61160 items=0 ppid=21643 pid=21646 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="id" exe="/usr/bin/id" subj=system_u:system_r:passenger_t:s0 key=(null) TL;DR: whatever put the files in /tmp/exports/* needs to label them with the tmp_t security context. You can use chcon to do it one time, or use `semanage fcontext` and then `restorecon` to set the files on a permanent basis. Perform the relabel and try the Sat6 operation again. From the audit.log output in comment 4, the file Pulp is being denied on (/tmp/exports/CHANNELS/1/109/repodata/repomd.xml) carries the SELinux context user_tmp_t. Pulp is allowed to read from files with the context tmp_t [0] but is not allowed to read from user_tmp_t. user_tmp_t is the default type that is used for files created by a user_t process, in a directory with a tmp_t type. Whatever is creating this file is running in a process labeled with user_t. The relevant upstream Pulp policy [0]: https://github.com/pulp/pulp/blob/2.6-release/server/selinux/server/pulp-celery.te#L40 Brian, you somehow need to say it to the customers. The thing is - when I follow the official documentation, I end up with 'Permission denied.' As this is a regression against Sat6.0, you: * either need to allow syncing repositories labeled with user_tmp_t * or to ensure the online documentation gets properly updated with the proper chcon command moving to a docs bug to detail that we need to indicate the user has to set the selinux context properly so Pulp can sync the content. Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. I think the docs should say something like: ========================== If SELinux is enabled, ensure the tmp_t SELinux file context is applied to the /tmp/exports/ directory. If necessary, apply the label manually: sudo chcon -R system_u:object_r:tmp_t:s0 /tmp/exports/ ========================== I verified that command will set the expected label but someone should retry the operation that failed to ensure that it does resolve the issue. That is a step in addition to the documentation add/verify. I confirm, that setting recursively the selinux content of /tmp/exports/ according to Comment#11 allows pulp to sync from this directory. |