Hide Forgot
Description of problem: 2 scenarios of Permission denied when exporting repo: 1) exporting to a non-existing repo returns Permission denied error, but creates a specified repo and completes an export 2) exporting to an existing repo returns Permission denied error, and doesn't export anything Version-Release number of selected component (if applicable): >> rpm -qa | grep pulp-server pulp-server-2.5.0-0.18.rc.fc20.noarch How reproducible: always Steps to Reproduce: >> pulp-admin rpm repo list +----------------------------------------------------------------------+ RPM Repositories +----------------------------------------------------------------------+ Id: gena Display Name: gena Description: None Content Unit Counts: Rpm: 2 >> ls -l | grep tmp drwxrwxrwt. 8 apache apache 4096 Nov 13 13:27 tmp >> ls -l /tmp total 4 srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87 >> pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/blabla +----------------------------------------------------------------------+ Publishing Repository [gena] +----------------------------------------------------------------------+ The following publish configuration options will be used: Export Dir: /tmp/blabla This command may be exited via ctrl+c without affecting the request. Initializing repo metadata [-] ... completed Publishing Distribution files [-] ... completed Publishing RPMs [==================================================] 100% 2 of 2 items ... completed Publishing Delta RPMs ... skipped Publishing Errata [-] ... completed Publishing Comps file [-] ... completed Publishing Metadata. [-] ... completed Closing repo metadata [-] ... completed Generating sqlite files ... skipped Copying files [-] ... failed [(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata', u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied: '/tmp/blabla/gena/repodata'"), (u'/var/lib/pulp/working/repos/gena/distributors/export_distributor', u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")] Task Failed [(u'/var/lib/pulp/working/repos/gena/distributors/export_distributor/repodata', u'/tmp/blabla/gena/repodata', "[Errno 13] Permission denied: '/tmp/blabla/gena/repodata'"), (u'/var/lib/pulp/working/repos/gena/distributors/export_distributor', u'/tmp/blabla/gena', "[Errno 13] Permission denied: '/tmp/blabla/gena'")] >> ls -l /tmp total 8 drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87 >> ls -l /tmp/blabla/ total 4 drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 gena And now we export it to the existing directory: >> mkdir /tmp/gena_export >> chown apache:apache /tmp/gena_export/ >> ls -l /tmp total 12 drwxr-xr-x. 3 apache apache 4096 Nov 13 13:29 blabla drwxr-xr-x. 2 apache apache 4096 Nov 13 13:30 gena_export srwxrwxrwx. 1 mongodb mongodb 0 Oct 14 10:47 mongodb-27017.sock drwx------. 3 root root 4096 Nov 12 19:33 systemd-httpd.service-Xzx1e87 >> pulp-admin rpm repo export run --repo-id gena --export-dir /tmp/gena_export +----------------------------------------------------------------------+ Publishing Repository [gena] +----------------------------------------------------------------------+ The following publish configuration options will be used: Export Dir: /tmp/gena_export This command may be exited via ctrl+c without affecting the request. Initializing repo metadata [-] ... completed Publishing Distribution files [-] ... completed Publishing RPMs [==================================================] 100% 2 of 2 items ... completed Publishing Delta RPMs ... skipped Publishing Errata [-] ... completed Publishing Comps file [-] ... completed Publishing Metadata. [-] ... completed Closing repo metadata [-] ... completed Generating sqlite files ... skipped Copying files [-] ... failed [Errno 13] Permission denied: '/tmp/gena_export/gena' Task Failed [Errno 13] Permission denied: '/tmp/gena_export/gena' And ta-dam! It's empty! >>ls -l /tmp/gena_export/ total 0
Could this have been caused by selinux?
Right, it happens with Enforcing selinux, in Permissive mode evrth is ok.
Created attachment 958961 [details] stacktrace >> less /var/log/audit/audit.log | grep avc ype=AVC msg=audit(1416375562.269:321086): avc: denied { setattr } for pid=15885 comm="celery" name="repodata" dev="xvda1" ino=626175 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=AVC msg=audit(1416375562.278:321087): avc: denied { setattr } for pid=15885 comm="celery" name="zoo" dev="xvda1" ino=626166 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=USER_AVC msg=audit(1416375686.738:321091): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1416375707.544:321117): avc: denied { setattr } for pid=20675 comm="celery" name="repodata" dev="xvda1" ino=626031 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
Moved to https://pulp.plan.io/issues/616