Bug 1315686

Summary:	pulp_streamer service fails to start with [Errno 13] Permission denied
Product:	Red Hat Satellite	Reporter:	Lukas Pramuk <lpramuk>
Component:	Pulp	Assignee:	satellite6-bugs <satellite6-bugs>
Status:	CLOSED ERRATA	QA Contact:	Sachin Ghai <sghai>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	6.2.0	CC:	bbuckingham, bmbouter, cwelton, daviddavis, dkliban, ehelms, ggainey, ipanova, lpramuk, mhrivnak, pcreech, rchan, sghai, ttereshc
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-07-27 09:26:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Lukas Pramuk 2016-03-08 12:19:42 UTC

Description of problem:
On RHEL6 pulp_streamer service fails to start with exceptions.IOError: [Errno 13] Permission denied: '/usr/share/zoneinfo/zone.tab' caused by SELinux denials. Plus service fails to start but reports RC=0


Version-Release number of selected component (if applicable):
python-pulp-streamer-2.8.0.0-0.5.beta.el6sat.noarch
@Satellite-6.2.0-RHEL-6-20160306.0

How reproducible:
100%

Steps to Reproduce:
1.# service pulp_streamer start
/etc/init.d/pulp_streamer: line 44: write_log_message: command not found
Starting pulp_streamer...
Traceback (most recent call last):
  File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 694, in run
    runApp(config)
  File "/usr/lib64/python2.6/site-packages/twisted/scripts/twistd.py", line 23, in runApp
    _SomeApplicationRunner(config).run()
  File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 411, in run
    self.application = self.createOrGetApplication()
  File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 494, in createOrGetApplication
    application = getApplication(self.config, passphrase)
--- <exception caught here> ---
  File "/usr/lib64/python2.6/site-packages/twisted/application/app.py", line 505, in getApplication
    application = service.loadApplication(filename, style, passphrase)
  File "/usr/lib64/python2.6/site-packages/twisted/application/service.py", line 390, in loadApplication
    application = sob.loadValueFromFile(filename, 'application', passphrase)
  File "/usr/lib64/python2.6/site-packages/twisted/persisted/sob.py", line 215, in loadValueFromFile
    exec fileObj in d, d
  File "/usr/share/pulp/wsgi/streamer.tac", line 13, in <module>
    from pulp.streamer import Streamer, load_configuration, DEFAULT_CONFIG_FILES
  File "/usr/lib/python2.6/site-packages/pulp/streamer/__init__.py", line 2, in <module>
    from pulp.streamer.server import Streamer, Responder, StreamerListener  # noqa
  File "/usr/lib/python2.6/site-packages/pulp/streamer/server.py", line 13, in <module>
    from pulp.plugins.loader import api as plugins_api
  File "/usr/lib/python2.6/site-packages/pulp/plugins/loader/api.py", line 7, in <module>
    from pulp.plugins.loader.manager import PluginManager
  File "/usr/lib/python2.6/site-packages/pulp/plugins/loader/manager.py", line 9, in <module>
    from pulp.server.db.model import ContentUnit
  File "/usr/lib/python2.6/site-packages/pulp/server/db/model/__init__.py", line 29, in <module>
    from pulp.server.webservices.views import serializers
  File "/usr/lib/python2.6/site-packages/pulp/server/webservices/views/serializers/__init__.py", line 4, in <module>
    from django.core.urlresolvers import reverse
  File "/usr/lib/python2.6/site-packages/django/core/urlresolvers.py", line 15, in <module>
    from django.http import Http404
  File "/usr/lib/python2.6/site-packages/django/http/__init__.py", line 4, in <module>
    from django.http.response import (HttpResponse, StreamingHttpResponse,
  File "/usr/lib/python2.6/site-packages/django/http/response.py", line 13, in <module>
    from django.utils import six, timezone
  File "/usr/lib/python2.6/site-packages/django/utils/timezone.py", line 13, in <module>
    import pytz
  File "/usr/lib/python2.6/site-packages/pytz/__init__.py", line 466, in <module>
    for l in open(os.path.join(_tzinfo_dir, "zone.tab"))
exceptions.IOError: [Errno 13] Permission denied: '/usr/share/zoneinfo/zone.tab'

Failed to load application: [Errno 13] Permission denied: '/usr/share/zoneinfo/zone.tab'

OK

2. # echo $?
0
3. # setenforce 0
4. # service pulp_streamer start
/etc/init.d/pulp_streamer: line 44: write_log_message: command not found
Starting pulp_streamer...
/usr/lib/python2.6/site-packages/pulp/server/db/connection.py:159: DeprecationWarning: add_son_manipulator is deprecated
  _DATABASE.add_son_manipulator(NamespaceInjector())
/usr/lib/python2.6/site-packages/pulp/server/db/model/base.py:96: DeprecationWarning: ensure_index is deprecated. Use create_index instead.
  unique=unique, background=True)
OK


Actual results:
fails to start, failure is not reflected in RC

Expected results:
starts successfully, with severe failures RC should be non-zero

Additional info:

SELinux denials in behind:
time->Mon Mar  7 03:18:31 2016
type=SYSCALL msg=audit(1457338711.593:250): arch=c000003e syscall=2 success=no exit=-13 a0=2141170 a1=0 a2=d a3=ffffffff items=0 ppid=29448 pid=29449 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python" subj=unconfined_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1457338711.593:250): avc:  denied  { search } for  pid=29449 comm="pulp_streamer" name="locale" dev=dm-0 ino=1179663 scontext=unconfined_u:system_r:streamer_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir
----
time->Mon Mar  7 03:18:31 2016
type=SYSCALL msg=audit(1457338711.593:251): arch=c000003e syscall=2 success=no exit=-13 a0=2100f50 a1=0 a2=d a3=ffffffff items=0 ppid=29448 pid=29449 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python" subj=unconfined_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1457338711.593:251): avc:  denied  { search } for  pid=29449 comm="pulp_streamer" name="locale" dev=dm-0 ino=1179663 scontext=unconfined_u:system_r:streamer_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir
----
time->Mon Mar  7 03:18:31 2016
type=SYSCALL msg=audit(1457338711.595:252): arch=c000003e syscall=2 success=no exit=-13 a0=7fd93d87bbea a1=0 a2=1b6 a3=2 items=0 ppid=29448 pid=29449 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python" subj=unconfined_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1457338711.595:252): avc:  denied  { read } for  pid=29449 comm="pulp_streamer" name="localtime" dev=dm-0 ino=1311888 scontext=unconfined_u:system_r:streamer_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
----
time->Mon Mar  7 03:18:31 2016
type=SYSCALL msg=audit(1457338711.595:253): arch=c000003e syscall=2 success=no exit=-13 a0=7fd93d87bbea a1=0 a2=1b6 a3=2 items=0 ppid=29448 pid=29449 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python" subj=unconfined_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1457338711.595:253): avc:  denied  { read } for  pid=29449 comm="pulp_streamer" name="localtime" dev=dm-0 ino=1311888 scontext=unconfined_u:system_r:streamer_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
----
time->Mon Mar  7 03:18:31 2016
type=SYSCALL msg=audit(1457338711.727:254): arch=c000003e syscall=4 success=no exit=-13 a0=259c390 a1=7fff85249fe0 a2=7fff85249fe0 a3=20 items=0 ppid=29448 pid=29449 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pulp_streamer" exe="/usr/bin/python" subj=unconfined_u:system_r:streamer_t:s0 key=(null)
type=AVC msg=audit(1457338711.727:254): avc:  denied  { search } for  pid=29449 comm="pulp_streamer" name="pulp" dev=dm-0 ino=935655 scontext=unconfined_u:system_r:streamer_t:s0 tcontext=system_u:object_r:pulp_var_run_t:s0 tclass=dir

Comment 1 Lukas Pramuk 2016-03-08 12:33:13 UTC

More convenient report:

# sudo audit2allow -a


#============= streamer_t ==============
allow streamer_t locale_t:dir { read search open getattr };
allow streamer_t locale_t:file { read getattr open };
#!!!! The source type 'streamer_t' can write to a 'dir' of the following types:
# mnt_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow streamer_t pulp_var_run_t:dir { write remove_name search add_name };
#!!!! The source type 'streamer_t' can write to a 'file' of the following types:
# mnt_t, root_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t

allow streamer_t pulp_var_run_t:file { write create unlink open getattr };

Comment 2 pulp-infra@redhat.com 2016-03-09 16:06:18 UTC

The Pulp upstream bug status is at NEW. Updating the external tracker on this bug.

Comment 3 pulp-infra@redhat.com 2016-03-09 16:06:20 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 4 Brian Bouterse 2016-03-09 17:13:08 UTC

As rbarlow suggested, I highly suspect this is a duplicate of https://pulp.plan.io/issues/1711. Have you tried with our most recent beta (0.8 I think)? Please try it since the upstream bug will very likely be closed on Friday at triage as a duplicate.

Comment 5 Lukas Pramuk 2016-03-10 11:19:35 UTC

I agree that issue #1756 is a duplicate of #1711.

Comment 6 Lukas Pramuk 2016-03-10 12:21:13 UTC

Tested upstream pulp-selinux-2.8.0-0.8.beta.el6.noarch.rpm without any selinux denials.

Comment 7 pulp-infra@redhat.com 2016-03-10 18:24:45 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 8 pulp-infra@redhat.com 2016-03-10 18:24:47 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 9 Brad Buckingham 2016-03-22 14:51:42 UTC

Moving to POST, since fix is available upstream.

Comment 11 pulp-infra@redhat.com 2016-03-23 18:30:25 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 12 Sachin Ghai 2016-04-04 08:27:37 UTC

Verified sat6.2 beta snap6.

The reported issue is no longer reproducible on rhel6.

[root@cloud-qe]#  service pulp_streamer status
pulp_streamer (pid 15932) is running.
[root@cloud-qe]#  service pulp_streamer stop
Stopping pulp_streamer... OK
[root@cloud-qe]#  service pulp_streamer start
Starting pulp_streamer...
/usr/lib/python2.6/site-packages/pulp/server/db/connection.py:159: DeprecationWarning: add_son_manipulator is deprecated
  _DATABASE.add_son_manipulator(NamespaceInjector())
/usr/lib/python2.6/site-packages/pulp/server/db/model/base.py:96: DeprecationWarning: ensure_index is deprecated. Use create_index instead.
  unique=unique, background=True)
OK
[root@cloud-qe]# echo $?
0
[root@cloud-qe]# getenforce 
Enforcing
[root@cloud-qe]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.7 (Santiago)

I don't see SELinux avc denials related to this.

Comment 14 errata-xmlrpc 2016-07-27 09:26:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501