Bug 736788
Summary: | SELinux enabled causes sync through a proxy to fail | ||
---|---|---|---|
Product: | [Retired] Pulp | Reporter: | John Matthews <jmatthew> |
Component: | user-experience | Assignee: | John Matthews <jmatthew> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Preethi Thomas <pthomas> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.0.0 | CC: | skarmark |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | Sprint 30 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-24 20:13:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Matthews
2011-09-08 17:34:55 UTC
I confirmed this is showing up in Fedora 15 # rpm -qa | grep pulp pulp-common-0.0.244-1.fc15.noarch pulp-client-lib-0.0.244-1.fc15.noarch pulp-admin-0.0.244-1.fc15.noarch pulp-0.0.244-1.fc15.noarch Behavior is to enable SELinux Install Pulp Setup up to use a proxy Sync a repo # sudo pulp-admin repo sync --id pulp_f15_x86_64 -F Sync for repository pulp_f15_x86_64 started Sync: Error Item Details: error: Exception: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/grinder/activeobject.py", line 424, in process retval = method(*args, **kwargs) File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 94, in getDownloadItems self.__getRepoData() File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 167, in __getRepoData for ftype in self.__getRepoXmlFileTypes(): File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 154, in __getRepoXmlFileTypes return self.repo.repoXML.fileTypes() File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1454, in <lambda> repoXML = property(fget=lambda self: self._getRepoXML(), File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1450, in _getRepoXML raise Errors.RepoError, msg RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: . Please verify its path and try again Now disable SELinux [root@localhost ~]# sudo setenforce 0 [root@localhost ~]# sudo pulp-admin repo sync --id pulp_f15_x86_64 -F Sync for repository pulp_f15_x86_64 started Sync: Finished 18/18 new items downloaded 0/18 existing items processed Item Details: RPMs: 18/18 # sealert -l 4b5b4e30-83da-4e6e-be68-3141610b9407 SELinux is preventing /usr/bin/python from name_connect access on the tcp_socket port 3128. ***** Plugin catchall_boolean (47.5 confidence) suggests ******************* If you want to allow httpd to act as a relay Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean. Do setsebool -P httpd_can_network_relay 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ******************* If you want to allow HTTPD scripts and modules to connect to the network using any TCP port. Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall (6.38 confidence) suggests *************************** If you believe that python should be allowed name_connect access on the port 3128 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Setting "setsebool -P httpd_can_network_connect" fixed the problem. # setsebool -P httpd_can_network_connect 1 [root@localhost ~]# ./sync_repo.sh Sync for repository pulp_f15_x86_64 started Sync: Finished 18/18 new items downloaded 0/18 existing items processed Item Details: RPMs: 18/18 Using pulp RPMs built from master on 12/9/2011 0.0.254-1.git.5.39971e9.fc15.noarch Changed /etc/pulp/pulp.conf [yum] proxy_url: http://IP_ADDRESS proxy_port: 3128 Below is squid.log output from syncing a Pulp Fedora repo. Access is going through Proxy as expected. 1323479608.565 313 10.210.67.63 TCP_MISS/200 3413 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/repomd.xml - DIRECT/85.236.55.7 text/xml 1323479608.859 289 10.210.67.63 TCP_MISS/200 11583 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/36074a6a66a90aa2f12826349b4aa3bde23657acb2b0f99938bf1ccf26f508b5-primary.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2 1323479609.168 305 10.210.67.63 TCP_MISS/200 12348 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/2659f11af5e6edc72c62a322fea83cbd99bf5cf8f8d131910b98e75d988a1e7e-filelists.xml.gz - DIRECT/85.236.55.7 application/x-gzip 1323479609.475 303 10.210.67.63 TCP_MISS/200 6875 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/24e3f2af0c255ba0119fab68738e2a8cae830abe3e8f2d97e382b32b621c3cf5-primary.xml.gz - DIRECT/85.236.55.7 application/x-gzip 1323479609.879 400 10.210.67.63 TCP_MISS/200 14125 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/015970537365ddc5debba717fef623f666a0ce5a94eeb8a23506124f54cc1026-other.xml.gz - DIRECT/85.236.55.7 application/x-gzip 1323479610.281 399 10.210.67.63 TCP_MISS/200 15979 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/3ecaf3545b3cdb03eaf23b9d2367d59c191634559dd027f8d4a4c5fb765a71d9-filelists.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2 1323479610.478 192 10.210.67.63 TCP_REFRESH_UNMODIFIED/200 11689 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/36074a6a66a90aa2f12826349b4aa3bde23657acb2b0f99938bf1ccf26f508b5-primary.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2 1323479610.886 390 10.210.67.63 TCP_MISS/200 17713 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/b131e9ad7be035840939c6a6f0efb474fa071bc03000a98be4076fdb3180e916-other.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2 1323479611.432 196 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html 1323479611.632 193 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html 1323479611.834 195 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html 1323479612.046 197 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html 1323479612.253 192 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html 1323479612.454 194 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html 1323479613.866 500 10.210.67.63 TCP_MISS/200 31700 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/gofer-package-0.63-1.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm 1323479613.901 614 10.210.67.63 TCP_MISS/200 67401 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/mod_wsgi-3.2-6.pulp.fc15.x86_64.rpm - DIRECT/85.236.55.7 application/x-rpm 1323479614.046 400 10.210.67.63 TCP_MISS/200 25292 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/python-oauth2-1.5.170-2.pulp.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm 1323479614.079 792 10.210.67.63 TCP_MISS/200 154165 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/mod_wsgi-debuginfo-3.2-6.pulp.fc15.x86_64.rpm - DIRECT/85.236.55.7 application/x-rpm 1323479614.378 706 10.210.67.63 TCP_MISS/200 116838 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/pulp-selinux-server-0.0.254-4.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm build: 0.255 verified [root@preethi ~]# rpm -q pulp pulp-0.0.255-1.fc15.noarch [root@preethi ~]# pulp-admin repo sync --id=centos1 -F Sync for repository centos1 started Sync: Finished 0/4768 new items downloaded 4768/4768 existing items processed Item Details: Tree Files: 4/4 RPMs: 4764/4764 [root@preethi ~]# getenforce Enforcing [root@preethi ~]# cat /etc/pulp/pulp.conf |grep proxy # Uncomment the below section with appropriate values for proxy configuration proxy_url: http://auto-services.usersys.redhat.com proxy_port: 3128 proxy_user: redhat proxy_pass: redhat [root@preethi ~]# Pulp v1.0 is released Closed Current Release. |