Bug 1306404 - Enforcing SELinux doesn't allow to upload rpms to a custom repository
Enforcing SELinux doesn't allow to upload rpms to a custom repository
Status: CLOSED ERRATA
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Tools (Show other bugs)
3.0.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: RHUI Bug List
Irina Gulina
:
Depends On:
Blocks: 1198817
  Show dependency treegraph
 
Reported: 2016-02-10 13:02 EST by Irina Gulina
Modified: 2017-03-01 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-01 17:11:30 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Irina Gulina 2016-02-10 13:02:20 EST
Description of problem:

An unexpected error occurs during RPM upload if SELinux is in the enforcement mode.

Version-Release number of selected component (if applicable):
>> rpm -qa "*rhui*"
rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch
rhui-installer-base-0.0.24-1.el7ui.noarch
rh-rhui-tools-libs-pre.3.0.16-1.el7ui.noarch
rhui-installer-0.0.24-1.el7ui.noarch
rh-rhui-tools-pre.3.0.16-1.el7ui.noarch
rhui-default-ca-1.0-1.noarch
rh-amazon-rhui-client-2.2.118-1.el7.noarch

>> rpm -qa "*pulp*"
python-pulp-client-lib-2.7.0-0.5.beta.el7ui.noarch
pulp-rpm-plugins-2.7.0-0.5.beta.el7ui.noarch
python-pulp-common-2.7.0-0.5.beta.el7ui.noarch
python-pulp-docker-common-1.0.2-1.el7ui.noarch
pulp-selinux-2.7.0-0.5.beta.el7ui.noarch
pulp-admin-client-2.7.0-0.5.beta.el7ui.noarch
python-pulp-rpm-common-2.7.0-0.5.beta.el7ui.noarch
pulp-server-2.7.0-0.5.beta.el7ui.noarch
python-pulp-oid_validation-2.7.0-0.5.beta.el7ui.noarch
python-pulp-ostree-common-1.0.0-0.3.beta.el7ui.noarch
pulp-ostree-plugins-1.0.0-0.3.beta.el7ui.noarch
pulp-rpm-admin-extensions-2.7.0-0.5.beta.el7ui.noarch
python-pulp-repoauth-2.7.0-0.5.beta.el7ui.noarch
pulp-docker-plugins-1.0.2-1.el7ui.noarch
python-pulp-bindings-2.7.0-0.5.beta.el7ui.noarch

RHUI iso 20151013

How reproducible:
always if SELinux is in the enforcement mode

Steps to Reproduce:

Try to upload rpm to a custom repo when SELinux is Enforcing

rhui (repo) => u

Select the repositories to upload the package into:
  -  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm to server...

An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

>> less /root/.rhui/rhui.log
2016-02-10 11:24:24,752 - Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.7/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.7/site-packages/rhui/tools/screens/repo.py", line 650, in upload
    self.pulp.upload(repo_ids, rpm)
  File "/usr/lib/python2.7/site-packages/rhui/tools/pulp_api.py", line 850, in upload
    upload_id = self.upload_api.initialize_upload().response_body['upload_id']
  File "/usr/lib/python2.7/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload
    return self.server.POST(url)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 98, in POST
    log_request_body=log_request_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 161, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 199, in _handle_exceptions
    raise exceptions.PulpServerException(response_body)
PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads'

Check the permissions on /var/lib/pulp/uploads. There is no such repo: 

>> ls -l /var/lib/pulp/uploads
ls: cannot access /var/lib/pulp/uploads: No such file or directory
>> ls -l /var/lib/pulp/
total 1
drwxr-xr-x. 2 apache apache  6 Feb  9 08:56 packages
drwxr-xr-x. 3 apache apache 16 Feb  9 09:14 published

Create it and try to upload rpm again:
>> ls -l /var/lib/pulp/
total 2
drwxr-xr-x. 2 apache apache  6 Feb  9 08:56 packages
drwxr-xr-x. 3 apache apache 16 Feb  9 09:14 published
drwxr-xr-x. 2 apache apache  6 Feb 10 11:54 uploads

>> restorecon -rv /var/lib/pulp/

------------------------------------------------------------------------------
rhui (repo) => u   

Select the repositories to upload the package into:
  -  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm to server...

An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

>> less /root/.rhui/rhui.log
2016-02-10 11:56:01,420 - <class 'pulp.bindings.exceptions.PulpServerException'>
2016-02-10 11:56:01,421 - Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.7/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.7/site-packages/rhui/tools/screens/repo.py", line 650, in upload
    self.pulp.upload(repo_ids, rpm)
  File "/usr/lib/python2.7/site-packages/rhui/tools/pulp_api.py", line 850, in upload
    upload_id = self.upload_api.initialize_upload().response_body['upload_id']
  File "/usr/lib/python2.7/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload
    return self.server.POST(url)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 98, in POST
    log_request_body=log_request_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 161, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 199, in _handle_exceptions
    raise exceptions.PulpServerException(response_body)
PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads/90d2f310-eaf6-47df-a613-cee23967a30c'

Check SELinux mode and audit logs for AVC: 
>>getenforce
Enforcing
>> grep 'AVC' /var/log/audit/audit.log 
type=AVC msg=audit(1455121464.740:258193): avc:  denied  { write } for  pid=16680 comm="httpd" name="/" dev="fuse" ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1455123361.412:258256): avc:  denied  { write } for  pid=16681 comm="httpd" name="uploads" dev="fuse" ino=9497699219452967571 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1455123555.793:258258): avc:  denied  { write } for  pid=16680 comm="httpd" name="uploads" dev="fuse" ino=9497699219452967571 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1455123555.793:258258): avc:  denied  { add_name } for  pid=16680 comm="httpd" name="6f170d6c-ae74-42f0-bf08-da3b30c7fb67" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1455123555.793:258258): avc:  denied  { create } for  pid=16680 comm="httpd" name="6f170d6c-ae74-42f0-bf08-da3b30c7fb67" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=AVC msg=audit(1455123555.793:258258): avc:  denied  { write open } for  pid=16680 comm="httpd" path="/var/lib/rhui/remote_share/uploads/6f170d6c-ae74-42f0-bf08-da3b30c7fb67" dev="fuse" ino=10372954598879493380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=AVC msg=audit(1455123555.796:258259): avc:  denied  { getattr } for  pid=16680 comm="httpd" path="/var/lib/rhui/remote_share/uploads/6f170d6c-ae74-42f0-bf08-da3b30c7fb67" dev="fuse" ino=10372954598879493380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=AVC msg=audit(1455123555.849:258260): avc:  denied  { read } for  pid=16681 comm="httpd" name="6f170d6c-ae74-42f0-bf08-da3b30c7fb67" dev="fuse" ino=10372954598879493380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file
type=AVC msg=audit(1455123556.216:258261): avc:  denied  { remove_name } for  pid=16681 comm="httpd" name="6f170d6c-ae74-42f0-bf08-da3b30c7fb67" dev="fuse" ino=10372954598879493380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1455123556.216:258261): avc:  denied  { unlink } for  pid=16681 comm="httpd" name="6f170d6c-ae74-42f0-bf08-da3b30c7fb67" dev="fuse" ino=10372954598879493380 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

Change SELinux to the permissive mode and try to upload RPM again. 

>> setenforce 0
>> getenforce
Permissive

------------------------------------------------------------------------------
rhui (repo) => u

Select the repositories to upload the package into:
  -  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : custom-i386-x86_64
  -  2 : custom-x86_64-x86_64
  -  3 : custom-i386-i386
  -  4 : repo1
Enter value (1-4) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.124-1.el7.noarch.rpm has been queued, task will run at the next available time slot.

Actual results:
Uploading rpm to a custom repo fails if SELinux is Enforcing

Expected results:
Successful upload
Comment 3 Irina Gulina 2016-06-16 19:58:43 EDT
Still Valid on RHUI3 iso 20160531

>> getenforce
Enforcing

>> rhui (repo) => u

Select the repositories to upload the package into:
  -  1 : test_repo_1
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : test_repo_1
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm
  rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm
  rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm to server...

An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

2016-06-16 19:50:11,541 - Successfully connected to [rhua.example.com]
2016-06-16 19:53:47,779 - <class 'pulp.bindings.exceptions.PulpServerException'>
2016-06-16 19:53:47,779 - Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.7/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.7/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.7/site-packages/rhui/tools/screens/repo.py", line 650, in upload
    self.pulp.upload(repo_ids, rpm)
  File "/usr/lib/python2.7/site-packages/rhui/tools/pulp_api.py", line 850, in upload
    upload_id = self.upload_api.initialize_upload().response_body['upload_id']
  File "/usr/lib/python2.7/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload
    return self.server.POST(url)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 98, in POST
    log_request_body=log_request_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 161, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.7/site-packages/pulp/bindings/server.py", line 199, in _handle_exceptions
    raise exceptions.PulpServerException(response_body)
PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads'


>> grep 'AVC' /var/log/audit/audit.log 
type=AVC msg=audit(1466121227.767:31355): avc:  denied  { write } for  pid=5666 comm="httpd" name="/" dev="fuse" ino=1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir

>> setenforce 0
[root@rhua ~]# getenforce
Permissive

>> rhui (repo) => u

Select the repositories to upload the package into:
  -  1 : test_repo_1
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : test_repo_1
Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm
  rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm
  rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el6.noarch.rpm has been queued, task will run at the next available time slot.
Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.128-1.el7.noarch.rpm has been queued, task will run at the next available time slot.
Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm has been queued, task will run at the next available time slot.
Comment 4 Irina Gulina 2016-06-16 20:06:12 EDT
>> service httpd status -l
Redirecting to /bin/systemctl status  -l httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2016-06-16 19:48:31 EDT; 15min ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 5574 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 5595 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─5595 /usr/sbin/httpd -DFOREGROUND
           ├─5616 (wsgi:pulp)     -DFOREGROUND
           ├─5617 PassengerWatchdog
           ├─5620 PassengerHelperAgent
           ├─5628 PassengerLoggingAgent
           ├─5635 /usr/sbin/httpd -DFOREGROUND
           ├─5636 /usr/sbin/httpd -DFOREGROUND
           ├─5637 /usr/sbin/httpd -DFOREGROUND
           ├─5638 /usr/sbin/httpd -DFOREGROUND
           ├─5639 /usr/sbin/httpd -DFOREGROUND
           ├─5640 /usr/sbin/httpd -DFOREGROUND
           ├─5641 /usr/sbin/httpd -DFOREGROUND
           └─5642 /usr/sbin/httpd -DFOREGROUND

Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)     file_path = ContentUploadManager._upload_file_path(upload_id)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/content/upload.py", line 240, in _upload_file_path
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)     upload_storage_dir = ContentUploadManager._upload_storage_dir()
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/content/upload.py", line 259, in _upload_storage_dir
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)     os.makedirs(upload_storage_dir)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)   File "/usr/lib64/python2.7/os.py", line 157, in makedirs
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400)     mkdir(name, mode)
Jun 16 19:53:47 rhua.example.com pulp[5616]: pulp.server.webservices.middleware.exception:ERROR: (5616-70400) OSError: [Errno 13] Permission denied: '/var/lib/pulp/uploads'
Jun 16 19:57:55 rhua.example.com httpd[5616]: )    : No worthy mechs found
Jun 16 19:57:55 rhua.example.com pulp[5616]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
Comment 5 Irina Gulina 2016-06-17 10:12:04 EDT
>> pulp-admin rpm repo uploads rpm --repo-id repo_1 --file=/tmp/rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
+----------------------------------------------------------------------+
                              Unit Upload
+----------------------------------------------------------------------+

Extracting necessary metadata for each request...
[==================================================] 100%
Analyzing: rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
... completed

Creating upload requests on the server...
[==================================================] 100%
Initializing: rh-amazon-rhui-client-rhs30-2.2.125-1.el7.noarch.rpm
An internal error occurred on the Pulp server:

RequestException: POST request
on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied:
'/var/lib/pulp/uploads/d9414dd3-f11a-4866-a116-590147806663'

[root@rhua ~]# getenforce
Enforcing
Comment 6 Irina Gulina 2016-07-20 13:10:20 EDT
RHEL6 iso 20160719:

>> getenforce
Enforcing

>> rhui (repo) => u

Select the repositories to upload the package into:
  -  1 : protected_repo
  -  2 : unprotected_repo
  -  3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3

Select the repositories to upload the package into:
  -  1 : protected_repo
  -  2 : unprotected_repo
  x  3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server...

An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

2016-07-20 13:05:43,467 - Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 650, in upload
    self.pulp.upload(repo_ids, rpm)
  File "/usr/lib/python2.6/site-packages/rhui/tools/pulp_api.py", line 850, in upload
    upload_id = self.upload_api.initialize_upload().response_body['upload_id']
  File "/usr/lib/python2.6/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload
    return self.server.POST(url)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 100, in POST
    log_request_body=log_request_body, ignore_prefix=ignore_prefix)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 166, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 204, in _handle_exceptions
    raise exceptions.PulpServerException(response_body)
PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads/4c723950-a574-4ecd-a58e-62ad621a40f7'
Comment 7 Irina Gulina 2016-07-20 13:20:12 EDT
But on RHEL7 iso 20160719 everything works fine: 

u

Select the repositories to upload the package into:
  -  1 : protected_repo
  -  2 : unprotected_repo
  -  3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3

Select the repositories to upload the package into:
  -  1 : protected_repo
  -  2 : unprotected_repo
  x  3 : selinux_repo
Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el7.noarch.rpm has been queued, task will run at the next available time slot.

------------------------------------------------------------------------------
rhui (repo) => l

Custom Repositories
  protected_repo
  selinux_repo
  unprotected_repo


------------------------------------------------------------------------------
rhui (repo) => i

Select one or more repositories:

  Custom Repositories
    -  1 : protected_repo
    -  2 : selinux_repo
    -  3 : unprotected_repo

  Red Hat Repositories

Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: 3

Select one or more repositories:

  Custom Repositories
    -  1 : protected_repo
    -  2 : selinux_repo
    x  3 : unprotected_repo

  Red Hat Repositories

Enter value (1-3) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Name:                unprotected_repo
Type:                Custom
Relative Path:       unprotected_repo
GPG Check:           No
Package Count:       1


------------------------------------------------------------------------------
rhui (repo) => exit
[root@rhua ~]# pulp-admin rpm repo list
+----------------------------------------------------------------------+
                            RPM Repositories
+----------------------------------------------------------------------+

Id:                  unprotected_repo
Display Name:        unprotected_repo
Description:         unprotected_repo
Content Unit Counts: 
  Rpm: 1

Id:                  protected_repo
Display Name:        protected_repo
Description:         protected_repo
Content Unit Counts: 
  Rpm: 1

Id:                  selinux_repo
Display Name:        selinux_repo
Description:         selinux_repo
Content Unit Counts: 
  Rpm: 1

>> getenforce
Enforcing
Comment 8 Patrick Creech 2016-07-21 15:48:45 EDT
Based on the output of semodule -l, it appears the rh-rhua selinux policy is not getting loaded on RHEL-6 environments.  

RHEL-6:                    RHEL-7:

remotelogin     1.7.0     │remotelogin     1.8.0
rhcs    1.1.0             │rh-rhua 0.1.12.1
rhev    1.0               │rhcs    1.2.1

This is due to a requires issue for 'type_unreserved_port_t', which didn't get created for selinux till after RHEL-6 was released.
Comment 9 Irina Gulina 2016-07-28 07:11:32 EDT
Failed ON_QA on RHEL6 iso 20160727:

>> rh-rhua is loaded: 
semodule -l | grep rh
rh-rhua	0.1.13.1	
rhcs	1.1.0	
rhev	1.0	
rhgb	1.9.0	
rhnsd	1.0.0	
rhsmcertd	1.0.0	
userhelper	1.5.0

unpload to unprotected or/and protected custom repo: 
>> u

Select the repositories to upload the package into:
  -  1 : unprotected_repo1
  -  2 : protected_repo1
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1

Select the repositories to upload the package into:
  x  1 : unprotected_repo1
  -  2 : protected_repo1
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server...

An unexpected error has occurred during the last operation.
More information can be found in /root/.rhui/rhui.log.

Unexpected error caught at the shell level
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 88, in safe_listen
    self.listen(clear=first_run)
  File "/usr/lib/python2.6/site-packages/rhui/tools/shell.py", line 122, in listen
    Shell.listen(self)
  File "/usr/lib/python2.6/site-packages/rhui/common/shell.py", line 186, in listen
    item.func(*args, **item.kwargs)
  File "/usr/lib/python2.6/site-packages/rhui/tools/screens/repo.py", line 650, in upload
    self.pulp.upload(repo_ids, rpm)
  File "/usr/lib/python2.6/site-packages/rhui/tools/pulp_api.py", line 850, in upload
    upload_id = self.upload_api.initialize_upload().response_body['upload_id']
  File "/usr/lib/python2.6/site-packages/pulp/bindings/upload.py", line 14, in initialize_upload
    return self.server.POST(url)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 100, in POST
    log_request_body=log_request_body, ignore_prefix=ignore_prefix)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 166, in _request
    self._handle_exceptions(response_code, response_body)
  File "/usr/lib/python2.6/site-packages/pulp/bindings/server.py", line 204, in _handle_exceptions
    raise exceptions.PulpServerException(response_body)
PulpServerException: RequestException: POST request on /pulp/api/v2/content/uploads/ failed with 500 - [Errno 13] Permission denied: '/var/lib/pulp/uploads' 

>> less /var/log/audit/audit.log | grep avc
type=AVC msg=audit(1469703017.282:951): avc:  denied  { sys_resource } for  pid=7811 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1469703017.295:952): avc:  denied  { write } for  pid=7814 comm="PassengerHelper" path="[eventfd]" dev=anon_inodefs ino=3919 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=AVC msg=audit(1469703017.382:953): avc:  denied  { sys_resource } for  pid=7837 comm="PassengerWatchd" capability=24  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1469703047.319:958): avc:  denied  { fowner } for  pid=7923 comm="chmod" capability=3  scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
type=AVC msg=audit(1469704039.668:1011): avc:  denied  { write } for  pid=7913 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1469704150.037:1012): avc:  denied  { write } for  pid=7916 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
type=AVC msg=audit(1469704180.849:1013): avc:  denied  { write } for  pid=7913 comm="httpd" name="/" dev=fuse ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir
Comment 10 Irina Gulina 2016-08-01 08:10:12 EDT
It seems this BZ is Gluster specific.
Comment 11 Irina Gulina 2016-08-26 11:16:24 EDT
Upload works fine on RHEL6 and RHEL7 ISOes 20160823, checked for NFS and Gluster

e.g. on RHEL6.8, Gluster:

>> u

Select the repositories to upload the package into:
  -  1 : unprotected_repo1
  -  2 : protected_repo1
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2

Select the repositories to upload the package into:
  x  1 : unprotected_repo1
  x  2 : protected_repo1
Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Enter the location of the packages to upload. If the location is an RPM,
the file will be uploaded. If the location is a directory, all RPMs in that
directory will be uploaded:
/tmp

The following RPMs will be uploaded:
  rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm
Proceed? (y/n) y


Uploading /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm to server...
Associating /tmp/rh-amazon-rhui-client-rhs30-2.2.130-1.el6.noarch.rpm has been queued, task will run at the next available time slot.

------------------------------------------------------------------------------
rhui (repo) => i

Select one or more repositories:

  Custom Repositories
    -  1 : protected_repo1
    -  2 : unprotected_repo1

  Red Hat Repositories

Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2

Select one or more repositories:

  Custom Repositories
    x  1 : protected_repo1
    x  2 : unprotected_repo1

  Red Hat Repositories

Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c


Name:                protected_repo1
Type:                Custom
Relative Path:       protected_repo1
GPG Check:           No
Package Count:       1

Name:                unprotected_repo1
Type:                Custom
Relative Path:       unprotected_repo1
GPG Check:           No
Package Count:       1


------------------------------------------------------------------------------
rhui (repo) => exit
[root@rhua ~]# pulp-admin -u admin -p admin rpm repo list
+----------------------------------------------------------------------+
                            RPM Repositories
+----------------------------------------------------------------------+

Id:                  test
Display Name:        None
Description:         None
Content Unit Counts: 
  Rpm: 1

Id:                  unprotected_repo1
Display Name:        unprotected_repo1
Description:         unprotected_repo1
Content Unit Counts: 
  Rpm: 1

Id:                  protected_repo1
Display Name:        protected_repo1
Description:         protected_repo1
Content Unit Counts: 
  Rpm: 1

>> getenforce
Enforcing
Comment 12 errata-xmlrpc 2017-03-01 17:11:30 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0367

Note You need to log in before you can comment on or make changes to this bug.