Bug 1384003

Summary: puppet4: CV publish fails with [Errno 13] Permission denied: '/etc/puppetlabs/code/environments/KT_Default_Organization_Library_.../'
Product: Red Hat Satellite Reporter: Lukas Pramuk <lpramuk>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Lukas Pramuk <lpramuk>
Severity: high Docs Contact:
Priority: high    
Version: 6.3.0CC: bbuckingham, dlobatog, jcallaha
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 08:22:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Lukas Pramuk 2016-10-12 10:43:51 UTC 
Description of problem:
When publishing CV on puppet4 Satellite it fails with
PLP0034: The distributor Default_Organization-Library-RHEL_7_2_Server_x86_64 indicated a failed response when publishing repository Default_Organization-Library-RHEL_7_2_Server_x86_64

In task detail we have Actions::Pulp::Repository::DistributorPublish failed to create destination directory: [Errno 13] Permission denied: '/etc/puppetlabs/code/environments/KT_Default_Organization_Library_RHEL_7_2_Server_x86_64_2/' 

It is caused by SELinux. Puppet4 has environments in different location and we have to adjust Selinux policy to cope with it.

Version-Release number of selected component (if applicable):
6.3.0 snap3 (with manually pre-installed puppet4)

How reproducible:
always

Steps to Reproduce:
1. Have satellite running on puppet4
2. Create CV with repos and Publish it.

Actual results:
Selinux policy prevents publish task to succeed

Expected results:
Publish task successfully finishes

Additional info:
workaround is to set selinux perms manually

# semanage fcontext -a -t puppet_etc_t '/etc/puppetlabs(/.*)?'
# restorecon -rv /etc/puppetlabs
Comment 2 Lukas Pramuk 2016-10-18 10:13:52 UTC 
Satellite doesnt use puppet-selinux and relies on rhel policy.
And the required selinux policy change was added for RHEL7.3:

# bkrsh semanage fcontext -l | grep puppet_etc_t
/etc/puppet(/.*)?                                  all files          system_u:object_r:puppet_etc_t:s0 
/etc/puppetlabs(/.*)?                              all files          system_u:object_r:puppet_etc_t:s0        <<< this was added

>>> /etc/puppetlabs/ has set puppet_etc_t type
Comment 3 Lukas Pramuk 2016-10-18 10:37:15 UTC 
RHEL7.3 policy was fixed by BZ #1369938
Comment 4 Lukas Pramuk 2016-10-18 11:10:16 UTC 
RHEL6.8 policy will be fixed by BZ #1386181 (cloned)

Or it could be RHEL6.9 policy - it depends on Satellite6.3 GA
Comment 5 Daniel Lobato Garcia 2017-04-12 08:22:12 UTC 
Tentatively closing as RHEL provides this policy in all Satellite supported versions. Please reopen and set a needinfo on me or lzap if it needs anything else done on our side.