Bug 1306404
| Summary: | Enforcing SELinux doesn't allow to upload rpms to a custom repository | ||
|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Irina Gulina <igulina> |
| Component: | Tools | Assignee: | RHUI Bug List <rhui-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Irina Gulina <igulina> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.0.0 | CC: | pcreech |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-01 22:11:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1198817 | ||
|
Description
Irina Gulina
2016-02-10 18:02:20 UTC
Still Valid on RHUI3 iso 20160531 >> getenforce Enforcing >> rhui (repo) => u Select the repositories to upload the package into: - 1 : test_repo_1 Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1 Select the repositories to upload the package into: x 1 : test_repo_1 Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp The following RPMs will be uploaded: rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm Proceed? (y/n) y Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm to server... An unexpected error has occurred during the last operation. More information can be found in /root/.rhui/rhui.log. 2016-06-16 19:50:11,541 - Successfully connected to [rhua.example.com] 2016-06-16 19:53:47,779 - <class 'pulp.bindings.exceptions.PulpServerException'> 2016-06-16 19:53:47,779 - Unexpected error caught at the shell level Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 88, in safe_listen self.listen(clear=first_run) File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 122, in listen Shell.listen(self) File "/usr/lib/python2.7/site-packages/rhui/common/shell.py", line 186, in listen item.func(*args, **item.kwargs) File "/usr/lib/python2.7/site-packages/rhui/tools/screens/repo.py", line 650, in upload self.pulp.upload(repo_ids, rpm) File "/usr/lib/python2.7/site-packages/rhui/tools/pulp_api.py", line 850, in upload upload_id = self.upload_api.initialize_upload().response_body['upload_id'] File "/usr/lib/python2.7/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload return self.server.POST(url) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 98, in POST log_request_body=log_request_body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 161, in _request self._handle_exceptions(response_code, response_body) File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 199, in _handle_exceptions raise exceptions.PulpServerException(response_body) PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads' >> grep 'AVC' /var/log/audit/audit.log type=AVC msg=audit(1466121227.767:31355): avc: denied { write } for pid=5666 comm="httpd" name="/" dev="fuse" ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir >> setenforce 0 [root@rhua ~]# getenforce Permissive >> rhui (repo) => u Select the repositories to upload the package into: - 1 : test_repo_1 Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1 Select the repositories to upload the package into: x 1 : test_repo_1 Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp The following RPMs will be uploaded: rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm Proceed? (y/n) y Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm to server... Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm has been queued, task will run at the next available time slot. Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm to server... Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm has been queued, task will run at the next available time slot. Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm to server... Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm has been queued, task will run at the next available time slot. >> service httpd status -l
Redirecting to /bin/systemctl status -l httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2016-06-16 19:48:31 EDT; 15min ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 5574 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 5595 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─5595 /usr/sbin/httpd -DFOREGROUND
├─5616 (wsgi:pulp) -DFOREGROUND
├─5617 PassengerWatchdog
├─5620 PassengerHelperAgent
├─5628 PassengerLoggingAgent
├─5635 /usr/sbin/httpd -DFOREGROUND
├─5636 /usr/sbin/httpd -DFOREGROUND
├─5637 /usr/sbin/httpd -DFOREGROUND
├─5638 /usr/sbin/httpd -DFOREGROUND
├─5639 /usr/sbin/httpd -DFOREGROUND
├─5640 /usr/sbin/httpd -DFOREGROUND
├─5641 /usr/sbin/httpd -DFOREGROUND
└─5642 /usr/sbin/httpd -DFOREGROUND
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) file_path = ContentUploadManager._upload_file_path(upload_id)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) File "/usr/lib/python2.7/site-packages/pulp/server/managers/content/upload.py", line 240, in _upload_file_path
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) upload_storage_dir = ContentUploadManager._upload_storage_dir()
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) File "/usr/lib/python2.7/site-packages/pulp/server/managers/content/upload.py", line 259, in _upload_storage_dir
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) os.makedirs(upload_storage_dir)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) File "/usr/lib64/python2.7/os.py", line 157, in makedirs
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) mkdir(name, mode)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) OSError: [Errno 13] Permission denied: '/var/lib/pulp/uploads'
Jun 16 19:57:55 rhua.example.com httpd[5616]: ) : No worthy mechs found
Jun 16 19:57:55 rhua.example.com pulp[5616]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
>> pulp-admin rpm repo uploads rpm --repo-id repo_1 --file=/tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
+----------------------------------------------------------------------+
Unit Upload
+----------------------------------------------------------------------+
Extracting necessary metadata for each request...
[==================================================] 100%
Analyzing: rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
... completed
Creating upload requests on the server...
[==================================================] 100%
Initializing: rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
An internal error occurred on the Pulp server:
RequestException: POST request
on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied:
'/var/lib/pulp/uploads/d9414dd3-f11a-4866-a116-590147806663'
[root@rhua ~]# getenforce
Enforcing
RHEL6 iso 20160719: >> getenforce Enforcing >> rhui (repo) => u Select the repositories to upload the package into: - 1 : protected_repo - 2 : unprotected_repo - 3 : selinux_repo Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3 Select the repositories to upload the package into: - 1 : protected_repo - 2 : unprotected_repo x 3 : selinux_repo Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp The following RPMs will be uploaded: rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm Proceed? (y/n) y Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server... An unexpected error has occurred during the last operation. More information can be found in /root/.rhui/rhui.log. 2016-07-20 13:05:43,467 - Unexpected error caught at the shell level Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 88, in safe_listen self.listen(clear=first_run) File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 122, in listen Shell.listen(self) File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen item.func(*args, **item.kwargs) File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 650, in upload self.pulp.upload(repo_ids, rpm) File "/usr/lib/python2.6/site-packages/rhui/tools/pulp_api.py", line 850, in upload upload_id = self.upload_api.initialize_upload().response_body['upload_id'] File "/usr/lib/python2.6/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload return self.server.POST(url) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 100, in POST log_request_body=log_request_body, ignore_prefix=ignore_prefix) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 166, in _request self._handle_exceptions(response_code, response_body) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 204, in _handle_exceptions raise exceptions.PulpServerException(response_body) PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads/4c723950-a574-4ecd-a58e-62ad621a40f7' But on RHEL7 iso 20160719 everything works fine:
u
Select the repositories to upload the package into:
- 1 : protected_repo
- 2 : unprotected_repo
- 3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3
Select the repositories to upload the package into:
- 1 : protected_repo
- 2 : unprotected_repo
x 3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c
Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp
The following RPMs will be uploaded:
rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm
Proceed? (y/n) y
Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm has been queued, task will run at the next available time slot.
------------------------------------------------------------------------------
rhui (repo) => l
Custom Repositories
protected_repo
selinux_repo
unprotected_repo
------------------------------------------------------------------------------
rhui (repo) => i
Select one or more repositories:
Custom Repositories
- 1 : protected_repo
- 2 : selinux_repo
- 3 : unprotected_repo
Red Hat Repositories
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3
Select one or more repositories:
Custom Repositories
- 1 : protected_repo
- 2 : selinux_repo
x 3 : unprotected_repo
Red Hat Repositories
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c
Name: unprotected_repo
Type: Custom
Relative Path: unprotected_repo
GPG Check: No
Package Count: 1
------------------------------------------------------------------------------
rhui (repo) => exit
[root@rhua ~]# pulp-admin rpm repo list
+----------------------------------------------------------------------+
RPM Repositories
+----------------------------------------------------------------------+
Id: unprotected_repo
Display Name: unprotected_repo
Description: unprotected_repo
Content Unit Counts:
Rpm: 1
Id: protected_repo
Display Name: protected_repo
Description: protected_repo
Content Unit Counts:
Rpm: 1
Id: selinux_repo
Display Name: selinux_repo
Description: selinux_repo
Content Unit Counts:
Rpm: 1
>> getenforce
Enforcing
Based on the output of semodule -l, it appears the rh-rhua selinux policy is not getting loaded on RHEL-6 environments. RHEL-6: RHEL-7: remotelogin 1.7.0 │remotelogin 1.8.0 rhcs 1.1.0 │rh-rhua 0.1.12.1 rhev 1.0 │rhcs 1.2.1 This is due to a requires issue for 'type_unreserved_port_t', which didn't get created for selinux till after RHEL-6 was released. Failed ON_QA on RHEL6 iso 20160727: >> rh-rhua is loaded: semodule -l | grep rh rh-rhua 0.1.13.1 rhcs 1.1.0 rhev 1.0 rhgb 1.9.0 rhnsd 1.0.0 rhsmcertd 1.0.0 userhelper 1.5.0 unpload to unprotected or/and protected custom repo: >> u Select the repositories to upload the package into: - 1 : unprotected_repo1 - 2 : protected_repo1 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1 Select the repositories to upload the package into: x 1 : unprotected_repo1 - 2 : protected_repo1 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp The following RPMs will be uploaded: rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm Proceed? (y/n) y Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server... An unexpected error has occurred during the last operation. More information can be found in /root/.rhui/rhui.log. Unexpected error caught at the shell level Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 88, in safe_listen self.listen(clear=first_run) File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 122, in listen Shell.listen(self) File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen item.func(*args, **item.kwargs) File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 650, in upload self.pulp.upload(repo_ids, rpm) File "/usr/lib/python2.6/site-packages/rhui/tools/pulp_api.py", line 850, in upload upload_id = self.upload_api.initialize_upload().response_body['upload_id'] File "/usr/lib/python2.6/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload return self.server.POST(url) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 100, in POST log_request_body=log_request_body, ignore_prefix=ignore_prefix) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 166, in _request self._handle_exceptions(response_code, response_body) File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 204, in _handle_exceptions raise exceptions.PulpServerException(response_body) PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads' >> less /var/log/audit/audit.log | grep avc type=AVC msg=audit(1469703017.282:951): avc: denied { sys_resource } for pid=7811 comm="PassengerWatchd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1469703017.295:952): avc: denied { write } for pid=7814 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3919 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=AVC msg=audit(1469703017.382:953): avc: denied { sys_resource } for pid=7837 comm="PassengerWatchd" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1469703047.319:958): avc: denied { fowner } for pid=7923 comm="chmod" capability=3 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability type=AVC msg=audit(1469704039.668:1011): avc: denied { write } for pid=7913 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=AVC msg=audit(1469704150.037:1012): avc: denied { write } for pid=7916 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir type=AVC msg=audit(1469704180.849:1013): avc: denied { write } for pid=7913 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir It seems this BZ is Gluster specific. Upload works fine on RHEL6 and RHEL7 ISOes 20160823, checked for NFS and Gluster e.g. on RHEL6.8, Gluster: >> u Select the repositories to upload the package into: - 1 : unprotected_repo1 - 2 : protected_repo1 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2 Select the repositories to upload the package into: x 1 : unprotected_repo1 x 2 : protected_repo1 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp The following RPMs will be uploaded: rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm Proceed? (y/n) y Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server... Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm has been queued, task will run at the next available time slot. ------------------------------------------------------------------------------ rhui (repo) => i Select one or more repositories: Custom Repositories - 1 : protected_repo1 - 2 : unprotected_repo1 Red Hat Repositories Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2 Select one or more repositories: Custom Repositories x 1 : protected_repo1 x 2 : unprotected_repo1 Red Hat Repositories Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Name: protected_repo1 Type: Custom Relative Path: protected_repo1 GPG Check: No Package Count: 1 Name: unprotected_repo1 Type: Custom Relative Path: unprotected_repo1 GPG Check: No Package Count: 1 ------------------------------------------------------------------------------ rhui (repo) => exit [root@rhua ~]# pulp-admin -u admin -p admin rpm repo list +----------------------------------------------------------------------+ RPM Repositories +----------------------------------------------------------------------+ Id: test Display Name: None Description: None Content Unit Counts: Rpm: 1 Id: unprotected_repo1 Display Name: unprotected_repo1 Description: unprotected_repo1 Content Unit Counts: Rpm: 1 Id: protected_repo1 Display Name: protected_repo1 Description: protected_repo1 Content Unit Counts: Rpm: 1 >> getenforce Enforcing Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367 |