Bug 1374260
Summary: | The yum configuration provided by the client configuration RPM doesn't work, the client always gets HTTP 404 on the mirrorlist | ||
---|---|---|---|
Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Radek Bíba <rbiba> |
Component: | CDS | Assignee: | Patrick Creech <pcreech> |
Status: | CLOSED ERRATA | QA Contact: | Vratislav Hutsky <vhutsky> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.0.0 | CC: | pcreech |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-03-01 22:12:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1176577 |
Description
Radek Bíba
2016-09-08 11:08:50 UTC
After some more digging, I see it's SELinux that causes the permission issues. With SELinux in permissive mode, Yum does work as expected: # yum repolist Loaded plugins: search-disabled-repos rhui-rhel-ha-for-rhel-7-server-rhui-rpms | 2.0 kB 00:00:00 (1/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/updateinfo | 42 kB 00:00:00 (2/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/group | 11 kB 00:00:00 (3/3): rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64/primary | 51 kB 00:00:00 rhui-rhel-ha-for-rhel-7-server-rhui-rpms 224/224 repo id repo name status rhui-rhel-ha-for-rhel-7-server-rhui-rpms/7Server/x86_64 Red Hat Enterprise Linux High Availability (for RHEL 7 S 224 The 'grep httpd /var/log/audit/audit.log | audit2allow -M cds' command has produced the cds.te file with the following content: module cds 1.0; require { type httpd_t; type var_t; class file { read getattr open }; } #============= httpd_t ============== allow httpd_t var_t:file { read getattr open }; I can see some detailed information when I search for httpd in the auditd log: type=SYSCALL msg=audit(09/08/2016 07:50:38.031:3556) : arch=x86_64 syscall=lstat success=no exit=-13(Permission denied) a0=0x7eff6f5b7688 a1=0x7fff0b9865d0 a2=0x7fff0b9865d0 a3=0x0 items=0 ppid=20142 pid=20291 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/08/2016 07:50:38.031:3556) : avc: denied { getattr } for pid=20291 comm=httpd path=/srv/pulp/mirrorlist.wsgi dev="xvda2" ino=9291215 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file So, AIUI, what needs to be done for this bug is: 1 - Ensure that the correct path is put into /etc/httpd/conf.d/25-cds.example.com.conf for WSGIScriptAlias /pulp/mirror. 2 - Tweak SELinux rules accordingly. Fix confirmed in RHUI-3.0-RHEL-6-20160921.n.0. Thanks Patrick! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0367 |