Bug 1608166 - Pulp repo sync fails on RHEL 7.6, needs new selinux rules
Summary: Pulp repo sync fails on RHEL 7.6, needs new selinux rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Update Infrastructure for Cloud Providers
Classification: Red Hat
Component: Tools
Version: 3.0.4
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: 3.0.5
: 3.0.x
Assignee: Martin Minar
QA Contact: Radek Bíba
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-25 05:42 UTC by Radek Bíba
Modified: 2018-11-06 07:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1607770
Environment:
Last Closed: 2018-09-05 17:04:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2649 0 None None None 2018-09-05 17:04:51 UTC

Description Radek Bíba 2018-07-25 05:42:11 UTC 
We already have quite a few rules for celery_t in /usr/share/doc/rh-rhua-selinux-policy-3.0.0/rh-rhua.te (package rh-rhua-selinux-policy), and we'll need  more for RHEL 7.6.

+++ This bug was initially created as a clone of Bug #1607770 +++

Description of problem:
I can't sync a Red Hat repo in RHUI:

Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360) (13, 'Permission denied')
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360) Traceback (most recent call last):
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 213, in run
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)     metadata_files = self.get_metadata(metadata_files)
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/sync.py", line 367, in get_metadata
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)     metadata_files.generate_dbs()
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/importers/yum/repomd/metadata.py", line 294, in generate_dbs
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360)     with contextlib.closing(gdbm.open(db_filename, 'nf')) as db_file_handle:
Jul 24 08:30:30 rhua pulp: pulp_rpm.plugins.importers.yum.sync:ERROR: (1515-99360) error: (13, 'Permission denied')
Jul 24 08:30:30 rhua pulp: pulp.server.async.tasks:INFO: Task failed : [7d71bab1-742d-4519-81a6-4696a08b7ec6]

audit.log says:

type=AVC msg=audit(1532421030.541:6224): avc:  denied  { map } for  pid=1515 comm="celery" path="/var/cache/pulp/reserved_resource_worker-1.com/7d71bab1-742d-4519-81a6-4696a08b7ec6/tmpFD8xWX/filelists.db" dev="xvda2" ino=8528349 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:pulp_var_cache_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1532421030.541:6224): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=3000 a2=3 a3=1 items=0 ppid=1412 pid=1515 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

audit2allow suggests:

allow celery_t pulp_var_cache_t:file map;

#!!!! WARNING: 'shell_exec_t' is a base type.
allow celery_t shell_exec_t:file map;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-207.el7.noarch
pulp-rpm-plugins-2.8.3.6-1.el7ui.noarch

Worked well in 7.5.

(I can be OtherQA here as RHUI is pretty hard to set up for those who don't normally work with it. I've already verified that the sync works with a custom policy based on audit2allow's recommendation.)

--- Additional comment from Red Hat Bugzilla Rules Engine on 2018-07-24 10:50:21 CEST ---

This bug report has Keywords: Regression or TestBlocker.

Since no regressions or test blockers are allowed between releases, it is also being [proposed|marked] as a blocker for this release.

Please resolve ASAP.

--- Additional comment from Radek Bíba on 2018-07-24 10:53:29 CEST ---

Note: the shell exec thing might be related to these errors, which appear in the log repeatedly but before the actual sync:

type=AVC msg=audit(1532412101.934:2100): avc:  denied  { map } for  pid=17443 comm="sh" path="/usr/bin/bash" dev="xvda2" ino=12626950 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1532412101.934:2100): arch=c000003e syscall=59 success=no exit=-13 a0=7f7698ac0f89 a1=7ffe12015f90 a2=7ffe1201a0c8 a3=7f7699c0ca10 items=0 ppid=17428 pid=17443 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:celery_t:s0 key=(null)

--- Additional comment from Radek Bíba on 2018-07-24 10:56:24 CEST ---

Also:

type=ANOM_ABEND msg=audit(1532416433.298:3969): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:celery_t:s0 pid=1494 comm="sh" reason="memory violation" sig=11

--- Additional comment from Lukas Vrabec on 2018-07-24 18:05:37 CEST ---

Radek, 

celery_t domain is not part of selinux-policy rpm package. Moving to celery, component. It's fine to allow these rules, I'm just not the right maintainer.

--- Additional comment from Radek Bíba on 2018-07-25 07:36:59 CEST ---

Ah, right. We'll need at least one more clone of this bug, though -- it's my understanding now that we're going to have to make this change in rh-rhua-selinux-policy, which is a special package with rules for services running on RHUI nodes. I'll clone this bug now.
Comment 2 Radek Bíba 2018-07-25 09:19:13 UTC 
audit.log on my CDS node contains denials from httpd reading repo files (when I run yum on a RHUI client):

type=AVC msg=audit(1532509922.203:11152): avc:  denied  { map } for  pid=1471 comm="httpd" path="/var/lib/rhui/remote_share/published/yum/master/yum_distributor/rhel-atomic-host-rhui-rpms-x86_64/1532509764.3/repodata/6a14d78ea74b4b8795af5be3c10b33928006157ef81b7597cb6ff4cb22476173-primary.xml.gz" dev="0:39" ino=1445105 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0

Interestingly, the file is served OK:

10.103.130.67 - - [25/Jul/2018:09:12:02 +0000] "GET /pulp/repos/content/dist/rhel/rhui/atomic/7/7Server/x86_64/os/repodata/6a14d78ea74b4b8795af5be3c10b33928006157ef81b7597cb6ff4cb22476173-primary.xml.gz HTTP/1.1" 200 61803 "-" "urlgrabber/3.10 yum/3.4.3"

(and yes, the client can receive and parse the repodata)

Anyway, audit2allow suggests:

allow httpd_t nfs_t:file map;

I'll check that in a Gluster environment later today.
Comment 3 Radek Bíba 2018-07-25 10:40:41 UTC 
No denial appears with Gluster.
Comment 4 Radek Bíba 2018-07-26 12:57:55 UTC 
One more thing. An attempt to sync the Atomic Trees repo fails this way:

Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360) Task pulp.server.managers.repo.sync.sync[d5dffb26-c32d-45bf-aea7-b84d00f4a787] raised unexpected: ValueError('Error invoking gpg: -11: ',)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360) Traceback (most recent call last):
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 240, in trace_task
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     R = retval = fun(*args, **kwargs)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 473, in __call__
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     return super(Task, self).__call__(*args, **kwargs)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 103, in __call__
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     return super(PulpTask, self).__call__(*args, **kwargs)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/celery/app/trace.py", line 437, in __protected_call__
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     return self.run(*args, **kwargs)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 760, in sync
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     sync_report = sync_repo(transfer_repo, conduit, call_config)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 658, in wrap_f
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     return f(*args, **kwargs)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp_ostree/plugins/importers/web.py", line 91, in sync_repo
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     report = step.process_lifecycle()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 562, in process_lifecycle
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     super(PluginStep, self).process_lifecycle()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 159, in process_lifecycle
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     step.process()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 249, in process
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     self._process_block()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 293, in _process_block
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     self.process_main()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp_ostree/plugins/importers/steps.py", line 93, in process_main
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     remote.add()
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp_ostree/plugins/importers/steps.py", line 414, in add
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     path, key_ids = self.gpg_keys
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/pulp_ostree/plugins/importers/steps.py", line 385, in gpg_keys
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     gpg = GPG(gnupghome=home)
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)   File "/usr/lib/python2.7/site-packages/gnupg.py", line 685, in __init__
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360)     result.stderr))
Jul 26 12:47:19 rhua pulp: celery.worker.job:ERROR: (1412-99360) ValueError: Error invoking gpg: -11:

audit.log:

type=AVC msg=audit(1532609239.294:23205): avc:  denied  { map } for  pid=347 comm="gpg" path="/usr/bin/gpg2" dev="xvda2" ino=12911427 scontext=system_u:system_r:celery_t:s0 
tcontext=system_u:object_r:gpg_exec_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1532609239.294:23205): arch=c000003e syscall=59 success=no exit=-13 a0=367c1d0 a1=367c1f0 a2=305e680 a3=0 items=0 ppid=1515 pid=347 auid=4294967295 ui
d=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg2" subj=system_u:system_r:celery_t:s0 key=(null)
type=PROCTITLE msg=audit(1532609239.294:23205): proctitle="(null)"
type=ANOM_ABEND msg=audit(1532609239.297:23206): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:celery_t:s0 pid=347 comm="gpg" reason="memory violation"
 sig=11

audit2allow additionally recommends:

allow celery_t gpg_exec_t:file map;
Comment 5 Radek Bíba 2018-07-26 14:28:58 UTC 
Another issue appears after allowing the above-mentioned rule, restarting pulp_workers, and starting a new sync process:

Jul 26 14:09:58 rhua kernel: celery[3727]: segfault at 342 ip 00007fedeab8d000 sp 00007ffdc7e000a8 error 4 in libc-2.17.so[7fedeaa37000+1c2000]
Jul 26 14:09:58 rhua pulp: celery.worker.job:ERROR: (3669-84480) Task pulp.server.managers.repo.sync.sync[4c1b7463-e9c4-4ef8-bec4-cd8946337a45] raised unexpected: WorkerLost
Error('Worker exited prematurely: signal 11 (SIGSEGV).',)
Jul 26 14:09:58 rhua pulp: celery.worker.job:ERROR: (3669-84480) Traceback (most recent call last):
Jul 26 14:09:58 rhua celery: reserved_resource_worker-1.com ready.
Jul 26 14:09:58 rhua pulp: celery.worker.job:ERROR: (3669-84480)   File "/usr/lib64/python2.7/site-packages/billiard/pool.py", line 1169, in mark_as_worker_lost
Jul 26 14:09:58 rhua pulp: celery.worker.job:ERROR: (3669-84480)     human_status(exitcode)),
Jul 26 14:09:58 rhua pulp: celery.worker.job:ERROR: (3669-84480) WorkerLostError: Worker exited prematurely: signal 11 (SIGSEGV).

Likely related to:

type=AVC msg=audit(1532614198.905:23436): avc:  denied  { map } for  pid=3727 comm="celery" path="/var/lib/rhui/remote_share/content/shared/ostree/4bcde2efdbbc3a8fc2f63bbe32
5ddfb8f339d802e4649654893d52590b0c1c7d/content/tmp/15d2c4c15307c23d27ddd67776865258517da84554929a3f92fc6c9187312a8b" dev="0:41" ino=17013677 scontext=system_u:system_r:celer
y_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1532614198.905:23436): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=345 a2=1 a3=2 items=0 ppid=3669 pid=3727 auid=4294967295 uid=48 gid=48 euid
=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

Suggestion:

allow celery_t nfs_t:file map;
Comment 6 Radek Bíba 2018-07-27 09:35:31 UTC 
Also noticed this:

/var/log/audit/audit.log:type=AVC msg=audit(1532674014.408:25095): avc:  denied  { map } for  pid=5659 comm="pool" path="/usr/share/mime/mime.cache" dev="xvda2" ino=4554242 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

This denial has appeared repeatedly, in four-hour intervals which match the Atomic Trees repo syncs. The syncs themselves have been successful, though.

Anyway, another suggestion, then:

allow celery_t usr_t:file map;
Comment 8 Radek Bíba 2018-08-28 07:53:51 UTC 
More rules are needed. TL;DR version:

# grep celery /var/log/audit/audit.log | audit2allow 


#============= celery_t ==============

#!!!! WARNING: 'bin_t' is a base type.
allow celery_t bin_t:file map;
allow celery_t ldconfig_exec_t:file map;


Details: audit.log says:
type=AVC msg=audit(1535440735.473:2146): avc:  denied  { map } for  pid=20445 comm="uname" path="/usr/bin/uname" dev="xvda2" ino=12798849 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1535440735.495:2148): avc:  denied  { map } for  pid=20450 comm="ldconfig" path="/usr/sbin/ldconfig" dev="xvda2" ino=58313 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file permissive=0

/var/log/messages says:
Aug 28 07:18:55 rhua systemd: Started Pulp's Celerybeat.
Aug 28 07:18:55 rhua systemd: Reloading.
Aug 28 07:18:55 rhua celery: sh: line 1: 20445 Segmentation fault      uname -p 2> /dev/null
Aug 28 07:18:55 rhua celery: sh: line 1: 20450 Segmentation fault      /sbin/ldconfig -p 2> /dev/null

(repeated multiple times later)

Doesn't appear to affect Pulp as repo management works, but should be fixed so that we don't have scary records in system logs.
Comment 12 errata-xmlrpc 2018-09-05 17:04:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2649
Note You need to log in before you can comment on or make changes to this bug.