Bug 796167
| Summary: | AVC denial issues with var/lib/rpm and rpm | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Update Infrastructure for Cloud Providers | Reporter: | Kedar Bidarkar <kbidarka> | ||||
| Component: | RHUA | Assignee: | John Matthews <jmatthew> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 2.0.2 | CC: | jslagle, kbidarka, sghai, tsanders | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-03-12 19:38:50 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
I've done some preliminary investigation on this. The timestamps from the AVC's in audit.log are from 4:35 AM EST:
type=AVC msg=audit(1329903332.243:13229): avc: denied { search } for pid=3333 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
/home/jslagle/Downloads/788574/logs $ date -ud @1329903332 +"%c %z"
Wed 22 Feb 2012 09:35:32 AM UTC +0000
And, looking in pulp.log at this same time, we can see this corresponds to the repo metadata generation for a custom repo:
2012-02-22 04:35:10,418 2393:140418937235200: pulp.repo_auth.repo_cert_utils:INFO: repo_cert_utils:589 Storing repo cert file [/etc/pki/pulp/content/custom_2/consumer-custom_2.ca]
2012-02-22 04:35:10,419 2393:140418937235200: pulp.repo_auth.repo_cert_utils:INFO: repo_cert_utils:589 Storing repo cert file [/etc/pki/pulp/content/custom_2/consumer-custom_2.cert]
2012-02-22 04:35:10,443 2393:140418937235200: pulp.server.util:INFO: util:499 started repo metadata update: ['createrepo', '--database', '--checksum', 'sha256', '--update', '/var/lib/pulp//repos/custom_2']
2012-02-22 04:35:10,966 2393:140418937235200: pulp.server.util:INFO: util:550 createrepo on /var/lib/pulp//repos/custom_2 finished
2012-02-22 04:35:10,966 2393:140418937235200: pulp.server.util:INFO: util:552 Nothing further to check; we got our fresh metadata
I was able to reproduce this AVC easily. Seems to occur everytime repo metadata is generated for a custom repository. However, I'm not seeing any errors that result from the AVC.
Cherry-picked below commit to RHUI branch http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=78ac0f839e83064d837d7512f9f6ec76b7facd90 package included in new iso: http://download.lab.bos.redhat.com/devel/candidates/RHEL-6.2-RHUI-2.0.2-20120222.0/2.0.2/Server/x86_64/iso/RHEL-6.2-RHUI-2.0.2-20120222.0-Server-x86_64-DVD1.iso No issues related to /var/lib/rpm or rpm with new build , during custom repo creation
------------------------------------------------------------------------------
rhui (repo) => c
Unique ID for the custom repository (alphanumerics, _, and - only):
custom5
Display name for the custom repository [custom5]:
misc
Path at which the repository will be served [custom5]:
/custom_5/x86_64/misc
Algorithm to use when calculating the checksum values for repository metadata:
1 - sha256
2 - sha1
Enter value (1-2) or 'b' to abort: 1
Should the repository require an entitlement certificate to access? (y/n)
y
Based on the repository's relative path, the suggested entitlement path is:
/custom_5/$basearch/misc
Path that should be used when granting an entitlement for this repository. This
may use yum variable substitutions (e.g. $basearch) to group this together with
other repositories that share the entitlement [/custom_5/$basearch/misc]:
The following repository will be created:
ID: custom5
Name: misc
Path: /custom_5/x86_64/misc
Entitlement: /custom_5/$basearch/misc
Proceed? (y/n) y
Successfully created repository misc
------------------------------------------------------------------------------
rhui (repo) => u
Select the repositories to upload the package into:
- 1 : misc
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1
Select the repositories to upload the package into:
x 1 : misc
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c
Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp/
The following RPMs will be uploaded:
ec2-api-tools-1.3.53907-3.fc14.noarch.rpm
exfat-utils-0.9.5-1.fc14.x86_64.rpm
fuse-exfat-0.9.5-1.fc14.x86_64.rpm
adobe-release-x86_64-1.0-1.noarch.rpm
Proceed? (y/n) y
Uploading /tmp/ec2-api-tools-1.3.53907-3.fc14.noarch.rpm...
Uploading /tmp/exfat-utils-0.9.5-1.fc14.x86_64.rpm...
Uploading /tmp/fuse-exfat-0.9.5-1.fc14.x86_64.rpm...
Uploading /tmp/adobe-release-x86_64-1.0-1.noarch.rpm...
------------------------------------------------------------------------------
rhui (repo) => home
-= CDS Synchronization Status =-
Last Refreshed: 04:32:18
(updated every 5 seconds, ctrl+c to exit)
CDS1_50_75 .................................................. [ UP ]
CDS2_27_41 .................................................. [ UP ]
Next Sync Last Sync Last Result
------------------------------------------------------------------------------
CDS1_50_75
02-24-2012 10:09 02-24-2012 04:22 Success
CDS2_27_41
02-24-2012 07:44 02-24-2012 04:22 Success
Connected: ip-10-98-9-150.ec2.internal
------------------------------------------------------------------------------
^Crhui (sync) => sc
Select one or more CDS instances to schedule to be synchronized before its scheduled time.
The sync will happen as soon as possible depending on other tasks that may be executing
in the RHUI. Only CDS instances that are not currently synchronizing are displayed.
Last Result Next Sync CDS
------------------------------------------
- 1 : Success 02-24-2012 10:09 CDS1_50_75
- 2 : Success 02-24-2012 07:44 CDS2_27_41
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2
Select one or more CDS instances to schedule to be synchronized before its scheduled time.
The sync will happen as soon as possible depending on other tasks that may be executing
in the RHUI. Only CDS instances that are not currently synchronizing are displayed.
Last Result Next Sync CDS
------------------------------------------
x 1 : Success 02-24-2012 10:09 CDS1_50_75
x 2 : Success 02-24-2012 07:44 CDS2_27_41
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c
The following CDS instances will be scheduled for synchronization:
CDS1_50_75
CDS2_27_41
Proceed? (y/n) y
Scheduling sync for CDS1_50_75...
... successfully scheduled for the next available timeslot.
Scheduling sync for CDS2_27_41...
... successfully scheduled for the next available timeslot.
------------------------------------------------------------------------------
rhui (sync) => dc
------------------------------------------------------------------------------
-= Red Hat Update Infrastructure Management Tool =-
-= CDS Synchronization Status =-
Last Refreshed: 04:32:31
(updated every 5 seconds, ctrl+c to exit)
CDS1_50_75 .................................................. [ UP ]
CDS2_27_41 .................................................. [ UP ]
Next Sync Last Sync Last Result
------------------------------------------------------------------------------
CDS1_50_75
In Progress 02-24-2012 04:22 Success
CDS2_27_41
In Progress 02-24-2012 04:22 Success
Connected: ip-10-98-9-150.ec2.internal
------------------------------------------------------------------------------
------------------------------------------------------------------------------
-= Red Hat Update Infrastructure Management Tool =-
-= Client Entitlement Management =-
e generate an entitlement certificate
c create a client configuration RPM from an entitlement certificate
Connected: ip-10-98-9-150.ec2.internal
------------------------------------------------------------------------------
rhui (client) => e
Select one or more repositories to include in the entitlement certificate:
(an * next to a Red Hat repository indicates it is deployed in the RHUI)
Custom Repositories
- 1 : /custom_5/$basearch/misc
misc
Red Hat Repositories
- 2 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Debug RPMs) from RHUI
- 3 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (RPMs) from RHUI
- 4 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Source RPMs) from RHUI
- 5 : Red Hat Enterprise Linux 5 Server - Supplementary (Debug RPMs) from RHUI
- 6 : Red Hat Enterprise Linux 5 Server - Supplementary (RPMs) from RHUI
- 7 : Red Hat Enterprise Linux 5 Server - Supplementary (Source RPMs) from RHUI
- 8 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (Debug RPMs) from RHUI
- 9 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (RPMs) from RHUI
- 10: Red Hat Enterprise Linux 5 Server - Supplementary Beta (Source RPMs) from RHUI
- 11: Red Hat Enterprise Linux 5 Server Beta from RHUI (Debug RPMs)
- 12: Red Hat Enterprise Linux 5 Server Beta from RHUI (RPMs)
- 13: Red Hat Enterprise Linux 5 Server Beta from RHUI (Source RPMs)
- 14: Red Hat Enterprise Linux 5 Server from RHUI (Debug RPMs)
- 15: Red Hat Enterprise Linux 5 Server from RHUI (RPMs)
- 16: Red Hat Enterprise Linux 5 Server from RHUI (Source RPMs)
- 17: Red Hat Enterprise Linux 6 Server (Debug RPMs) from RHUI
- 18: Red Hat Enterprise Linux 6 Server (RPMs) from RHUI *
- 19: Red Hat Enterprise Linux 6 Server (Source RPMs) from RHUI
- 20: Red Hat Enterprise Linux 6 Server - Optional (Debug RPMs) from RHUI
- 21: Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI
- 22: Red Hat Enterprise Linux 6 Server - Optional (Source RPMs) from RHUI
- 23: Red Hat Enterprise Linux 6 Server - Optional Beta (Source RPMs) from RHUI
- 24: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI (RPMs)
- 25: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI(Debug RPMs)
- 26: Red Hat Enterprise Linux 6 Server - Supplementary (Debug RPMs) from RHUI
- 27: Red Hat Enterprise Linux 6 Server - Supplementary (RPMs) from RHUI
- 28: Red Hat Enterprise Linux 6 Server - Supplementary (Source RPMs) from RHUI
- 29: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Debug RPMs) from RHUI
- 30: Red Hat Enterprise Linux 6 Server - Supplementary Beta (RPMs) from RHUI
- 31: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Source RPMs) from RHUI
- 32: Red Hat Enterprise Linux 6 Server Beta (Source RPMs) from RHUI
- 33: Red Hat Enterprise Linux 6 Server Beta from RHUI (Debug RPMs)
- 34: Red Hat Enterprise Linux 6 Server Beta from RHUI (RPMs)
- 35: Red Hat Update Infrastructure 1.2 (Debug RPMs)
- 36: Red Hat Update Infrastructure 1.2 (RPMs)
- 37: Red Hat Update Infrastructure 1.2 (Source RPMs)
- 38: Red Hat Update Infrastructure 2.0 (Debug RPMs)
- 39: Red Hat Update Infrastructure 2.0 (RPMs) *
- 40: Red Hat Update Infrastructure 2.0 (Source RPMs)
Enter value (1-40) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1
Select one or more repositories to include in the entitlement certificate:
(an * next to a Red Hat repository indicates it is deployed in the RHUI)
Custom Repositories
x 1 : /custom_5/$basearch/misc
misc
Red Hat Repositories
- 2 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Debug RPMs) from RHUI
- 3 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (RPMs) from RHUI
- 4 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Source RPMs) from RHUI
- 5 : Red Hat Enterprise Linux 5 Server - Supplementary (Debug RPMs) from RHUI
- 6 : Red Hat Enterprise Linux 5 Server - Supplementary (RPMs) from RHUI
- 7 : Red Hat Enterprise Linux 5 Server - Supplementary (Source RPMs) from RHUI
- 8 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (Debug RPMs) from RHUI
- 9 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (RPMs) from RHUI
- 10: Red Hat Enterprise Linux 5 Server - Supplementary Beta (Source RPMs) from RHUI
- 11: Red Hat Enterprise Linux 5 Server Beta from RHUI (Debug RPMs)
- 12: Red Hat Enterprise Linux 5 Server Beta from RHUI (RPMs)
- 13: Red Hat Enterprise Linux 5 Server Beta from RHUI (Source RPMs)
- 14: Red Hat Enterprise Linux 5 Server from RHUI (Debug RPMs)
- 15: Red Hat Enterprise Linux 5 Server from RHUI (RPMs)
- 16: Red Hat Enterprise Linux 5 Server from RHUI (Source RPMs)
- 17: Red Hat Enterprise Linux 6 Server (Debug RPMs) from RHUI
- 18: Red Hat Enterprise Linux 6 Server (RPMs) from RHUI *
- 19: Red Hat Enterprise Linux 6 Server (Source RPMs) from RHUI
- 20: Red Hat Enterprise Linux 6 Server - Optional (Debug RPMs) from RHUI
- 21: Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI
- 22: Red Hat Enterprise Linux 6 Server - Optional (Source RPMs) from RHUI
- 23: Red Hat Enterprise Linux 6 Server - Optional Beta (Source RPMs) from RHUI
- 24: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI (RPMs)
- 25: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI(Debug RPMs)
- 26: Red Hat Enterprise Linux 6 Server - Supplementary (Debug RPMs) from RHUI
- 27: Red Hat Enterprise Linux 6 Server - Supplementary (RPMs) from RHUI
- 28: Red Hat Enterprise Linux 6 Server - Supplementary (Source RPMs) from RHUI
- 29: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Debug RPMs) from RHUI
- 30: Red Hat Enterprise Linux 6 Server - Supplementary Beta (RPMs) from RHUI
- 31: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Source RPMs) from RHUI
- 32: Red Hat Enterprise Linux 6 Server Beta (Source RPMs) from RHUI
- 33: Red Hat Enterprise Linux 6 Server Beta from RHUI (Debug RPMs)
- 34: Red Hat Enterprise Linux 6 Server Beta from RHUI (RPMs)
- 35: Red Hat Update Infrastructure 1.2 (Debug RPMs)
- 36: Red Hat Update Infrastructure 1.2 (RPMs)
- 37: Red Hat Update Infrastructure 1.2 (Source RPMs)
- 38: Red Hat Update Infrastructure 2.0 (Debug RPMs)
- 39: Red Hat Update Infrastructure 2.0 (RPMs) *
- 40: Red Hat Update Infrastructure 2.0 (Source RPMs)
Enter value (1-40) to toggle selection, 'c' to confirm selections, or '?' for more commands: c
Name of the certificate. This will be used as the name of the certificate file
(name.crt) and its associated private key (name.key). Choose something that will
help identify the products contained with it:
rh-rhui-custom
Local directory in which to save the generated certificate [current directory]:
/root/
Number of days the certificate should be valid [365]:
365
Repositories to be included in the entitlement certificate:
Custom Entitlements
/custom_5/$basearch/misc
Proceed? (y/n) y
......+++
........................+++
Entitlement certificate created at /root/rh-rhui-custom.crt
------------------------------------------------------------------------------
rhui (client) => c
Full path to local directory in which the client configuration files generated by this tool
should be stored (if this directory does not exist, it will be created):
/root
Name of the RPM:
rh-rhui-custom
Version of the configuration RPM [2.0]:
2.4
Full path to the entitlement certificate authorizing the client to access
specific channels:
/root/rh-rhui-custom.crt
Full path to the private key for the above entitlement certificate:
/root/rh-rhui-custom.key
Full path to the CA certificate or CA chain used to sign the CDS SSL certificate:
/root/gen_certs/ca1.crt
Select the CDS instance that should be the primary load balancer for the
client. All other CDS instances will be listed as back up load balancers
in the client's mirror list:
1 - ip-10-12-50-75.ec2.internal
2 - ip-10-12-27-41.ec2.internal
Enter value (1-2) or 'b' to abort: 1
Load Balancer Order:
ip-10-12-50-75.ec2.internal
ip-10-12-27-41.ec2.internal
Successfully created client configuration RPM.
RPMs can be found at /root
------------------------------------------------------------------------------
[root@ip-10-98-9-150 noarch]# rpm -ivh rh-rhui-custom-2.4-1.el6.noarch.rpm
Preparing... ########################################### [100%]
1:rh-rhui-custom ########################################### [100%]
[root@ip-10-98-9-150 ~]# yumdownloader adobe-release-x86_64-1.0-1.noarch
Loaded plugins: pulp-profile-update, rhui-lb
adobe-release-x86_64-1.0-1.noarch.rpm | 4.2 kB 00:00
[root@ip-10-98-9-150 ~]# ls
adobe-release-x86_64-1.0-1.noarch.rpm
root@ip-10-98-9-150 ~]# cd /var/log/audit
[root@ip-10-98-9-150 audit]# ls
audit.log
[root@ip-10-98-9-150 audit]# grep AVC *
[root@ip-10-98-9-150 audit]#
Released in RHUI 2.0.2 |
Created attachment 564934 [details] logs from grinder.log pulp.log var_log_messages audit.log Description of problem: Didn't observe these earlier with the 20120215 build, But found with RHEL-6.2-RHUI-2.0.2-20120221.0-Server-x86_64-DVD1.iso [root@ip-10-36-119-102 audit]# grep AVC * type=AVC msg=audit(1329899723.444:13185): avc: denied { search } for pid=2840 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329899723.445:13186): avc: denied { getattr } for pid=2840 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.243:13229): avc: denied { search } for pid=3333 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.244:13230): avc: denied { getattr } for pid=3333 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13243): avc: denied { search } for pid=30837 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13244): avc: denied { getattr } for pid=30837 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: