Description of problem: With Selinux enforcing running the following seems to fail with permission error pic.POST('/v2/repositories/forge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge/'}}) Version-Release number of selected component (if applicable): pulp-server-2.3.0-0.12.alpha.el6.noarch How reproducible: Steps to Reproduce: 1.Create and sync a puppet repo (eg forge) 2.create the directory that you want puppet to be installed on and give apache the correct permission (/etc/puupet/forge/) 3.with selinux enforcing run pic.POST('/v2/repositories/forge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge/'}}) Actual results: Expected results: Additional info:
This is a documentation bug. We need to add selinux command to the documentation to set appropriate context for repo install path directory.
I believe we can fix this by moving the pulp_manage_puppet tunable from httpd_t to celery_t.
In 2.5.0 our workers now run confined. I believe this means that we will not be able to publish to /etc/puppet/. In 2.4.{0,1} we were able to publish there, only because our workers were running unconfined. This means that this is a regression in our 2.5.0 beta.
https://github.com/pulp/pulp/pull/1187
This will add the install distributor onto the "forge" repo: >>> pic.POST('/v2/repositories/forge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge/'}}) This will tell that distributor to publish: >>> pic.POST('/pulp/api/v2/repositories/forge/actions/publish/', {'id': "puppet_install_distributor"})
https://github.com/pulp/pulp_puppet/pull/137
Don't include a trailing slash when specifying the install_path, or you'll run into this bug [0]. [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1149894
build: 2.5.0 0.8.beta
Fails-qa So I did 1. setfacl -m g:apache:rwx /etc/puppet/forge 2. setfacl -m u:apache:rwx /etc/puppet/forge 3. sudo semanage boolean --on pulp_manage_puppet Then tried pic.POST('/v2/repositories/forge1/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge'}}) And it failed with > pic.POST('/v2/repositories/forge1/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge'}}) Request Body { "distributor_id": "puppet_install_distributor", "distributor_type_id": "puppet_install_distributor", "distributor_config": { "install_path": "/etc/puppet/forge" }, "auto_publish": false } Response Body { "exception": null, "args": [ "the current user does not have permission to read and write files in the destination directory" ], "_href": "/pulp/api/v2/repositories/forge1/distributors/", "traceback": null, "error_message": "the current user does not have permission to read and write files in the destination directory", "http_request_method": "POST", "http_status": 400, "error": { "code": "PLP0000", "data": {}, "description": "the current user does not have permission to read and write files in the destination directory", "sub_errors": [] } } Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.6/site-packages/pulp/common/pic.py", line 133, in POST return _request('POST', path, body) File "/usr/lib/python2.6/site-packages/pulp/common/pic.py", line 114, in _request (response.status, response_body)) pulp.common.pic.RequestError: Server response: 400 {u'exception': None, u'args': [u'the current user does not have permission to read and write files in the destination directory'], u'_href': u'/pulp/api/v2/repositories/forge1/distributors/', u'traceback': None, u'error_message': u'the current user does not have permission to read and write files in the destination directory', u'http_request_method': u'POST', u'http_status': 400, u'error': {u'code': u'PLP0000', u'data': {}, u'description': u'the current user does not have permission to read and write files in the destination directory', u'sub_errors': []}} >>> Then did sudo chown -R apache:apache /etc/puppet/forge sudo chown apache:apache /etc/puppet And ran the pic from above. Still got the same error. Now I set selinux disabled. Ran the pic above. And it worked. >>> pic.POST('/v2/repositories/forge1/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge'}}) Request Body { "distributor_id": "puppet_install_distributor", "distributor_type_id": "puppet_install_distributor", "distributor_config": { "install_path": "/etc/puppet/forge" }, "auto_publish": false } Response Body { "repo_id": "forge1", "_href": "/pulp/api/v2/repositories/forge1/distributors/puppet_install_distributor/", "_ns": "repo_distributors", "last_publish": null, "auto_publish": false, "scheduled_publishes": [], "distributor_type_id": "puppet_install_distributor", "scratchpad": null, "_id": { "$oid": "544024b812a08e620e0e4cad" }, "config": { "install_path": "/etc/puppet/forge" }, "id": "puppet_install_distributor" } (201, {u'repo_id': u'forge1', u'_href': u'/pulp/api/v2/repositories/forge1/distributors/puppet_install_distributor/', u'_ns': u'repo_distributors', u'last_publish': None, u'auto_publish': False, u'scheduled_publishes': [], u'distributor_type_id': u'puppet_install_distributor', u'scratchpad': None, u'_id': {u'$oid': u'544024b812a08e620e0e4cad'}, u'config': {u'install_path': u'/etc/puppet/forge'}, u'id': u'puppet_install_distributor'}) >>> Now I set selinux to enforcing and run the publish and it succeeds. >>> pic.POST('/pulp/api/v2/repositories/forge1/actions/publish/', {'id': "puppet_install_distributor"}) Request Body { "id": "puppet_install_distributor" } Response Body { "spawned_tasks": [ { "_href": "/pulp/api/v2/tasks/75d298fd-597c-4f4b-a83d-b3ba9a731849/", "task_id": "75d298fd-597c-4f4b-a83d-b3ba9a731849" } ], "result": null, "error": null } (202, {u'spawned_tasks': [{u'_href': u'/pulp/api/v2/tasks/75d298fd-597c-4f4b-a83d-b3ba9a731849/', u'task_id': u'75d298fd-597c-4f4b-a83d-b3ba9a731849'}], u'result': None, u'error': None}) >>> [root@qe-blade-12 ~]# ls -ladZ of /etc/puppet/forge/* ls: cannot access of: No such file or directory drwxr-xr-x. apache apache unconfined_u:object_r:puppet_etc_t:s0 /etc/puppet/forge/x11 [root@qe-blade-12 ~]# [root@qe-blade-12 ~]# [root@qe-blade-12 ~]# ls -ladZ of /etc/puppet/* ls: cannot access of: No such file or directory -rw-r--r--. root root system_u:object_r:puppet_etc_t:s0 /etc/puppet/auth.conf drwxrwxr-x+ apache apache unconfined_u:object_r:puppet_etc_t:s0 /etc/puppet/forge drwxr-xr-x. root root system_u:object_r:puppet_etc_t:s0 /etc/puppet/modules -rw-r--r--. root root system_u:object_r:puppet_etc_t:s0 /etc/puppet/puppet.conf [root@qe-blade-12 ~]# This is from the audit.log when I try the first pic type=AVC msg=audit(1413491976.104:2577): avc: denied { write } for pid=25186 comm="httpd" name="forge" dev=dm-0 ino=2230907 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1413491976.104:2577): arch=c000003e syscall=21 success=no exit=-13 a0=7f38dc017b20 a1=7 a2=7f391555ba08 a3=7f38f51ef238 items=0 ppid=25098 pid=25186 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=310 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[root@qe-blade-12 ~]# sudo audit2allow -al #============= httpd_t ============== #!!!! The source type 'httpd_t' can write to a 'dir' of the following types: # httpd_squirrelmail_t, var_lib_t, var_run_t, var_log_t, httpd_mediawiki_tmp_t, dirsrv_var_log_t, zarafa_var_lib_t, dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t, squirrelmail_spool_t, dirsrvadmin_config_t, mnt_t, var_lock_t, tmp_t, var_t, tmpfs_t, httpd_log_t, dirsrv_config_t, httpd_tmp_t, pulp_cert_t, dirsrvadmin_tmp_t, httpd_cache_t, httpd_tmpfs_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, passenger_tmp_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_sys_content_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, passenger_var_run_t, httpd_openshift_ra_content_t, httpd_openshift_rw_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, cluster_var_lib_t, cluster_var_run_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, root_t, httpdcontent, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, cluster_conf_t allow httpd_t puppet_etc_t:dir write; [root@qe-blade-12 ~]#
[root@qe-blade-12 ~]# rpm -qa pulp-server pulp-server-2.5.0-0.8.beta.el6.noarch [root@qe-blade-12 ~]#
Hmmm, I am unable to reproduce these errors and am able to successfully publish with selinux enabled. Can you ls -laZ /etc/puppet for me? Also, it's curious that you are seeing that httpd_t needs access to puppet_etc_t. It's should be celery_t, not httpd_t.
The error happens when you create the distributor with selinux enabled. Publish works with selinux enabled. Steps to reproduce. 1. sudo setenforce 1 2 Create a single puppet repo with a single unit in it. I do this by running the following: - pulp-admin puppet repo create --repo-id=forge --feed=http://forge.puppetlabs.com - sync the first 200 units and then cancel the task manually. The sync command is: pulp-admin puppet repo sync run --repo-id=forge - pulp-admin puppet repo create --repo-id forge_copy - pulp-admin puppet repo copy --filters {} --from-repo-id forge --to-repo-id forge_copy - pulp-admin puppet repo remove --filters {} --repo-id forge - pulp-admin puppet repo copy --match author=lvillani --from-repo-id forge_copy --top-repo-id forge 3. Create a directory to publish into,and give it the right permissions - mkdir /etc/puppet/forge - sudo chown -R apache:apache /etc/puppet/forge 4. Create the install distributor named 'puppet_install_distributor' by running: pic.POST('/v2/repositories/forge/distributors/', {'distributor_type_id':'puppet_install_distributor', 'distributor_id':'puppet_install_distributor', 'auto_publish': False, 'distributor_config': {'install_path':'/etc/puppet/forge'}})
In addition to the other pull requests referenced in this BZ, this is also required: https://github.com/pulp/pulp_puppet/pull/148
included in pulp-server 2.5.0-0.11
fails-qa For rhel7 you need to run semanage boolean --modify --on pulp_manage_puppet So the doc needs to be updated to reflect that. Creating the install distributor and publishing succeeded. [root@cloud-qe-1-vm-1 ~]# rpm -qa pulp-server pulp-server-2.5.0-0.11.beta.el7.noarch [root@cloud-qe-1-vm-1 ~]# [root@cloud-qe-1-vm-1 ~]#
In addition to the previous pull requests, this one fixes the documentation: https://github.com/pulp/pulp_puppet/pull/149
verified http://pulp-puppet.readthedocs.org/en/latest/tech-reference/plugin_conf.html#install-distributor