Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 789945

Summary: syncing repo with feed=file://</path/to/the/repo/> fails
Product: Red Hat Satellite Reporter: Garik Khachikyan <gkhachik>
Component: Content ManagementAssignee: Todd Sanders <tsanders>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.0CC: bkearney, jlaska, jmatthew, mkoci, mmccune, snansi
Target Milestone: UnspecifiedKeywords: Regression, Reopened, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Attempting to sync a repository referenced by "file://" URLs may fail due to local file permissions or SELinux policy. Additional steps may be required to allow syncing content from repositories referenced by "file://".
 Story Points: ---
Clone Of:
: 799181 (view as bug list) Environment:
Last Closed: 2012-09-07 20:56:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 799181    

Description Garik Khachikyan 2012-02-13 10:40:27 UTC 
Description of problem:
On recent version of pulp:
pulp-0.0.265-1.el6.noarch
pulp-admin-0.0.265-1.el6.noarch

doing pulp-admin repo sync --id <ID> fails doing sync (status returns: "Exception: Cannot read from directory /tmp/tito/katello/noarch")
owner of that directory: is root:root and there is file read access for all.

Version-Release number of selected component (if applicable):


How reproducible:
from 1st attempt

Steps to Reproduce:
1.createrepo some repodata under: /tmp/tito/katello/noarch
2.pulp-admin repo create --id test1 --feed file:///tmp/tito/katello/noarch
3.pulp-admin repo sync --id test1
  
Actual results:
see the pulp-status - error
--- from log: /var/log/pulp/pulp.log
2012-02-13 11:38:06,907 12415:140126720091904: pulp.server.tasking.task:ERROR: task:474 Task failed: Task d0bb456b-562e-11e1-b9e8-5254004ffc5f: _sync(test1, synchronizer=<pulp.server.api.synchronizers.YumSynchronizer object at 0x7f71c4219250>, skip={}, max_speed=None, threads=None, progress_callback=<bound method RepoSyncTask.progress_callback of <pulp.server.api.repo_sync_task.RepoSyncTask object at 0x7f71c4219210>>)
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/pulp/server/tasking/task.py", line 420, in run
    result = self.callable(*self.args, **self.kwargs)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/repo_sync.py", line 272, in _sync
    progress_callback, synchronizer, max_speed, threads)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/repo_sync.py", line 355, in fetch_content
    progress_callback, max_speed, threads)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 163, in sync
    max_speed=max_speed, threads=threads)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 1208, in local
    self.init_progress_details(src_repo_dir, skip_dict)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 880, in init_progress_details
    rpm_list = self.list_rpms(src_repo_dir)
  File "/usr/lib/python2.6/site-packages/pulp/server/api/synchronizers.py", line 849, in list_rpms
    pkglist = pulp.server.util.listdir(src_repo_dir)
  File "/usr/lib/python2.6/site-packages/pulp/server/util.py", line 380, in listdir
    raise Exception("Cannot read from directory %s" % directory)
Exception: Cannot read from directory /tmp/tito/katello/noarch
---

Expected results:
no error, repo should get synced from local repodata

Additional info:

m2crypto-0.21.1.pulp-7.el6.x86_64
python-oauth2-1.5.170-2.pulp.el6.noarch
katello-glue-pulp-0.1.235-1.git.0.737ec3f.el6.noarch
pulp-selinux-server-0.0.265-1.el6.noarch
pulp-0.0.265-1.el6.noarch
pulp-client-lib-0.0.265-1.el6.noarch
mod_wsgi-3.3-3.pulp.el6.x86_64
pulp-common-0.0.265-1.el6.noarch
pulp-admin-0.0.265-1.el6.noarch
Comment 1 Garik Khachikyan 2012-02-13 10:42:34 UTC 
hah!!!

there is SELinux issue there: 

putting on `setenforce 0` does "fixes" that issue

but for sure we would need either some doc for users or allow the process to go smoothly.
Comment 3 John Matthews 2012-02-22 19:48:57 UTC 
When SELinux is enabled a user will need to ensure that local content they want to sync is labeled with 'httpd_sys_content_t'. 

This can be done with the command:
 chcon -R -t httpd_sys_content_t $PATH

Additionally the 'apache' user needs read access to the content.

Additional info:
For the specific path noted in the description, the AVCs are not shown because of dontaudit rules.  
I enabled display of the AVCs with:
 $ sudo semodule -DB

Once the dontaudits are disabled we see the below AVC denial.
type=AVC msg=audit(1329939479.431:43457): avc:  denied  { search } for  pid=2534 comm="sh" name="tito" dev=sda3 ino=26624026 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir

To allow the sync to work I ran the below:
 chcon -R -t httpd_sys_content_t /tmp/tito
Comment 4 Jeff Weiss 2012-02-29 20:09:05 UTC 
Any particular reason this should need to be in V1?
Comment 5 Jeff Weiss 2012-02-29 20:12:21 UTC 
qa ack- to find out what the need is for v1, and if none, push to 1.x.
Comment 6 RHEL Program Management 2012-02-29 20:25:10 UTC 
Quality Engineering Management has reviewed and declined this request.  You may
appeal this decision by reopening this request.
Comment 10 James Laska 2012-03-06 16:33:39 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Attempting to sync a repository referenced by "file://" URLs may fail due to local file permissions or SELinux policy.  Additional steps may be required to allow syncing content from repositories referenced by "file://".
Comment 11 Jeff Weiss 2012-03-06 18:07:09 UTC 
qa ack+ is for release note only
Comment 12 Shikha 2012-05-10 04:55:50 UTC 
Release Note added. Link:

http://documentation-stage.bne.redhat.com/docs/en-US/CloudForms/1.0/html-single/Release_Notes/index.html#sect-Release_Notes-System_Engine-System_Engine_Considerations-known_issues_14

Regards,
Shikha
Comment 14 Mike McCune 2012-09-07 20:56:29 UTC 
I don't know why this got re-opened.  the rel-note got added for 1.0.  CLOSED:CR