Bug 795602

Please confirm that the pulp selinux policy is loaded.
Example:
 sudo semodule -l | grep pulp
 pulp-server	0.x.x

Please confirm the pulp-selinux rpm is installed:
Example: 
  # rpm -qa | grep pulp-selinux
  pulp-selinux-server-1.0.0-2.el6.noarch

If the above are OK, try running:
restorecon -R /srv/pulp

Then look at the contexts, they should match below:
# ls -larthZ /srv/pulp/
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
drwxr-xr-x. root   root   system_u:object_r:var_t:s0

The pulp SELinux policy is not loaded.

The RPM package is installed:
$ rpm -q pulp-selinux-server
pulp-selinux-server-0.0.265-1.el6.noarch

The context on the files in /srv/pulp/ is var_t.


I also installed using the 2012-02-22.1 code, and I get the same result.

Ah, there may be an issue installing the package.  I have setup a repo and I am installing katello-all in the %packages section of my kickstart.  I see these errors in /root/install.log:

Installing pulp-selinux-server-0.0.267-2.el6.noarch
Cannot set persistent booleans without managed policy.
Could not change policy booleans
Cannot set persistent booleans without managed policy.
Could not change policy booleans
/var/tmp/rpm-tmp.6dFUtS: line 9: /usr/sbin/semanage: No such file or directory
/var/tmp/rpm-tmp.6dFUtS: line 10: /usr/sbin/semanage: No such file or directory
warning: %post(pulp-selinux-server-0.0.267-2.el6.noarch) scriptlet failed, exit status 127

Installing katello-selinux-0.1.7-1.el6.noarch
No such file or directory
Cannot set persistent booleans without managed policy.
Could not change policy booleans
warning: %post(katello-selinux-0.1.7-1.el6.noarch) scriptlet failed, exit status 255

Would you try installing:  "policycoreutils-python" retrying?

It looks like we are missing a requires on rpm for pulp-selinux-server.

I am not sure this is the only issue, I am troubled why you are not seeing a selinux module for pulp-server reported from semodule -l | grep pulp


Let's try:
1) install policycoreutils-python on the system prior to pulp
2) reinstall pulp RPMs including pulp-selinux-server
3) look for errors
4) past what: semodule -l | grep pulp says
5) please paste: getenforce
6) please paste: ls -larthZ /srv/pulp

I just tried a fresh install, but this time I did nothing in kickstart.  I installed katello-all and ran katello-configure after the machine was installed.  policycoreutils-python was already added in kickstart.
The pulp-server SELinux module installs just fine post installation.

So it looks like the issue is that the SELinux policy is not available to load modules, change booleans, etc. during kickstart.  I changed the title of this bug to better match the issue.

We may need to get Dan Walsh to provide guidance in installing modules, changing booleans and the like during kickstart (in RPM %post of pulp-selinux-server and katello-selinux).

The postinstall scriptlet of pulp-selinux-server runs:
/usr/share/pulp/selinux/server/enable.sh, which runs:
  /usr/sbin/semodule -s ${selinuxvariant} -i \
            ${INSTALL_DIR}/selinux/${selinuxvariant}/${NAME}.pp
  (where selinuxvariant="mls strict targeted", INSTALL_DIR=/usr/share and NAME=pulp-server)

  /usr/sbin/setsebool -P httpd_can_network_connect 1
  /usr/sbin/setsebool -P httpd_tmp_exec 1


The postinstall scriptlet of katello-selinux runs:
/usr/sbin/katello-selinux-enable, which runs the same for loop as above (using katello.pp instead of pulp-server.pp).  It also runs:
  /sbin/restorecon -rvvi /var/lib/katello /var/log/katello
  /usr/sbin/setsebool -P httpd_can_network_connect 1

Are you able to reproduce (in the kickstart) and attach full kickstart log? Because I guess it must be the missing policy problem. Clone of:

https://bugzilla.redhat.com/show_bug.cgi?id=800029

It is partially an issue of not having policycoreutils-python installed (at least for pulp-selinux-server), but there are other issues as well.  I am attaching the installation log.  Note that on line 821, pulp-selinux-server fails to run post scripts because semanage is not available.  Line 861 installs policycoreutils-python, and line 911 fails on installing katello-selinux.  The semanage command is available there, but it cannot manipulate the policy because it is running the kickstart SELinux policy, not the targeted policy (selinux-policy-targeted gets installed on line 1078).

Created attachment 568022 [details]
Installation log from kickstart showing errors installing packages

katello-selinux runs the /usr/sbin/katello-selinux-enable script:

#!/bin/bash

# Install SELinux policy modules
for selinuxvariant in mls strict targeted
do
  /usr/sbin/semodule -s ${selinuxvariant} -l > /dev/null 2>&1 \
    && /usr/sbin/semodule -s ${selinuxvariant} -i \
    /usr/share/selinux/${selinuxvariant}/katello.pp || :
done

# allow qpidd to use port 5674
/usr/sbin/semanage port -a -t amqp_port_t -p tcp 5674

/sbin/restorecon -rvvi /var/lib/katello /var/log/katello

# bz 790507 - httpd needs to work as proxy for Katello
/usr/sbin/setsebool -P httpd_can_network_connect 1


BTW, RHEL6 no longer includes the strict policy (it has been integrated with mls), and RHEL6 includes the new minimal policy.  We should change the for loop above accordingly.

You need to make sure selinux-policy-targeted is installed before your package if you are going to install a policy module or execute semanage type commands.

Requires(post): policycoreutils-python 
Requires(post): selinux-policy-targeted

Also you should do your boolean changing within a transaction to cut compile time.

/usr/sbin/setsebool -P httpd_can_network_connect=1 httpd_tmp_exec=1

or better yet.

semanage -S $selinuxvariant -i - << _EOF
module -a /usr/share/selinux/${selinuxvariant}/katello.pp 
boolean -m --on httpd_can_network_connect
boolean -m --on httpd_tmp_exec
port -a -t amqp_port_t -p tcp 5674
_EOF

Is 5674 a standard amqp port?

Puttting blocker request, we need to install from a kickstart.

Dan: It is a standard port, but SSL. AMQP is not confiured in SSL mode by default.

Dan: I am getting:

/usr/sbin/semanage: Port tcp/5674 already defined

Does this cancel the transaction? We need to add the port because it is missing in the 6.2 GOLD, but it is now defined with an errata or something.

I guess I need to put it out of the transaction and do semanage -l first and execute it only if it is not defined.

If you try -m does that work if the port does not exists?

Unfortunately no.

/usr/sbin/semanage: Port tcp/5674 is not defined

Taking this out of the transaction.

Pushed upstream:

http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=43df220f61f7edb1edd70e1ed74263f81e4a8e2f

need info on verification. a user scenario?

Scenario:

Install Katello/CFSE/SAM and check if katello and pulp selinux modules are loaded:

[root@el ~]# semodule -l | grep katello
katello	1.0.0	
[root@el ~]# semodule -l | grep pulp 
pulp-server	1.0.0.2	

No AVC denials should be also in the audit.log

# VERIFIED - katello

semodule -l | grep katello
katello	1.0.0	
[root@smqe-sat04 ~]# semodule -l | grep pulp 
pulp-server	1.0.0.6	

cat /var/log/audit/audit.log | grep AVC
(empty)

# VERIFIED - cfse

same here for current Beta5

# VERIFIED - sam

same (ok) is here - and of course pulp is not installed at all :)