Description of problem: Attempting a rhnpush on satellite and receiving this error: Internal server error 500 Internal Server Error Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message: Package upload failed: [Errno 17] File exists: '/var/satellite' Error Class Code: 50 Error Class Info: Invalid information uploaded to the server (500) Version-Release number of selected component (if applicable): ISO: Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso Installed using QA's install-sat.sh to call the sat installer How reproducible: Always Steps to Reproduce: 1. selinux is in enforcing 2. nevra is enabled (prob not needed, but that's the setup I'm testing) 3. attempt rhnpush 4. see error 5. setenforce 0 6. re-push and it succeeds Actual results: [ ~]# rhnpush -c centoslabel -d centosPkgs -u username -p password --server satellite.hostname.com -vvv Uploading files from directory centosPkgs Connecting to http://satellite.hostname.com/APP url is http://satellite.hostname.com/PACKAGE-PUSH Result codes: 200 OK Computing md5sum and package Info .This may take sometime ... Package /root/centosPkgs/procinfo-18-19.i386.rpm Not Found on RHN Server -- Uploading Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm Using POST request Internal server error 500 Internal Server Error Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message: Package upload failed: [Errno 17] File exists: '/var/satellite' Error Class Code: 50 Error Class Info: Invalid information uploaded to the server (500) 1 Waiting 1 seconds and trying again... Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm Using POST request Internal server error 500 Internal Server Error Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message: Package upload failed: [Errno 17] File exists: '/var/satellite' Error Class Code: 50 Error Class Info: Invalid information uploaded to the server (500) 1 Waiting 4 seconds and trying again... Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm Using POST request Internal server error 500 Internal Server Error Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message: Package upload failed: [Errno 17] File exists: '/var/satellite' Error Class Code: 50 Error Class Info: Invalid information uploaded to the server (500) 1 Waiting 5 seconds and trying again... Giving up after 3 attempts Expected results: it pushes package Additional info: snippet from /var/log/audit/audit.log type=SYSCALL msg=audit(1235583229.599:1798): arch=40000003 syscall=195 success=no exit=-13 a0=b27ff40 a1=bfa474a8 a2=3acff4 a3=b139c20 items=0 ppid=2633 pid=2648 auid=0 uid=48 gid =48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=USER_ACCT msg=audit(1235583905.198:1799): user pid=3170 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="nocpulse" : exe="/usr/s bin/crond" (hostname=?, addr=?, terminal=cron res=success)' type=CRED_ACQ msg=audit(1235583905.391:1800): user pid=3170 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="nocpulse" : exe="/usr/sbin/ crond" (hostname=?, addr=?, terminal=cron res=success)' type=LOGIN msg=audit(1235583905.391:1801): login pid=3170 uid=0 old auid=4294967295 new auid=103 old ses=4294967295 new ses=264 type=USER_START msg=audit(1235583906.689:1802): user pid=3170 uid=0 auid=103 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="nocpulse" : exe="/usr/sbin/ crond" (hostname=?, addr=?, terminal=cron res=success)' type=MAC_STATUS msg=audit(1235584549.656:1803): enforcing=0 old_enforcing=1 auid=0 ses=244 type=SYSCALL msg=audit(1235584549.656:1803): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfb4ed44 a2=1 a3=bfb4ed44 items=0 ppid=492 pid=3252 auid=0 uid=0 gid=0 euid=0 suid= 0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=244 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=USER_AVC msg=audit(1235584549.673:1804): user pid=1671 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received setenforce notice (enforcing=0) : e xe="?" (sauid=81, hostname=?, addr=?, terminal=?)' type=AVC msg=audit(1235584600.494:1805): avc: denied { search } for pid=2645 comm="httpd" name="" dev=0:18 ino=25871573 scontext=root:system_r:httpd_t:s0 tcontext=system_u:obje ct_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1235584600.494:1805): arch=40000003 syscall=195 success=no exit=-2 a0=b2d0798 a1=bfa48468 a2=3acff4 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid= 48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1235584600.566:1806): avc: denied { getattr } for pid=2645 comm="httpd" path="/var/satellite/redhat/1/26e" dev=0:18 ino=29229274 scontext=root:system_r:httpd _t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL msg=audit(1235584600.566:1806): arch=40000003 syscall=195 success=yes exit=0 a0=b10b630 a1=bfa47b68 a2=3acff4 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid= 48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1235584600.566:1807): avc: denied { write } for pid=2645 comm="httpd" name="26e" dev=0:18 ino=29229274 scontext=root:system_r:httpd_t:s0 tcontext=system_u:ob ject_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1235584600.566:1807): avc: denied { add_name } for pid=2645 comm="httpd" name="openmpi" scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=AVC msg=audit(1235584600.566:1807): avc: denied { create } for pid=2645 comm="httpd" name="openmpi" scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:nfs_t:s0 tclas s=dir type=SYSCALL msg=audit(1235584600.566:1807): arch=40000003 syscall=39 success=yes exit=0 a0=b10b630 a1=1ff a2=96028e4 a3=b32a0bcc items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 e uid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1235584600.595:1808): avc: denied { create } for pid=2645 comm="httpd" name="openmpi-1.2.8-3.el4.i386.rpm" scontext=root:system_r:httpd_t:s0 tcontext=root:ob ject_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1235584600.595:1808): arch=40000003 syscall=5 success=yes exit=27 a0=b2c52d8 a1=8241 a2=1ff a3=8241 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1235584600.620:1809): avc: denied { write } for pid=2645 comm="httpd" path="/var/satellite/redhat/1/26e/openmpi/1.2.8-3.el4/i386/26e873e785d947c719792ac500c0 75f1/openmpi-1.2.8-3.el4.i386.rpm" dev=0:18 ino=95240237 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1235584600.620:1809): arch=40000003 syscall=4 success=yes exit=65536 a0=1b a1=b2ec4dc a2=10000 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 eu id=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1235584600.636:1810): avc: denied { setattr } for pid=2645 comm="httpd" name="openmpi-1.2.8-3.el4.i386.rpm" dev=0:18 ino=95240237 scontext=root:system_r:http d_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file type=SYSCALL msg=audit(1235584600.636:1810): arch=40000003 syscall=15 success=yes exit=0 a0=b2d0798 a1=1a4 a2=96028e4 a3=b32a0bcc items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 e uid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
Please - confirm that /var/satellite is a NFS mount; - show me the output of ls -lZ /var/satellite; - show me the output of /usr/sbin/getsebool spacewalk_nfs_mountpoint; Thank you, Jan
Yes, /var/satellite is a NFS mount dump-new:/vol/rhndevqaV2 on /var/satellite type nfs (rw,addr=x.x.x.x) [root@rlx-3-22 ~]# ls -lZ /var/satellite/ drwxr-xr-x apache root system_u:object_r:nfs_t redhat drwxr-xr-x apache root system_u:object_r:nfs_t rhn /usr/sbin/getsebool spacewalk_nfs_mountpoint; spacewalk_nfs_mountpoint --> off
Good. Now, was the Satellite installed via ./install.pl, with SELinux enabled, and was /var/satellite NFS-mounted at the time when the installer was run? Because we have code in /usr/bin/spacewalk-setup (which gets called by ./install.pl) which does /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1 when it sees that /var/satellite or paths under it are nfs_t mounted. So in your case, the spacewalk_nfs_mountpoint boolean should have been set to on. Is there somethine suspicious in rhn-installation.log, perhaps?
This makes sense. The script I'm using does the install, then after that it mounts /var/satellite over NFS. QA has modified the script, so the mounting of /var/satellite now happens prior to install being called.
Jan, Does it make sense to put this bug to ON_QA and we'll retest with NFS mounted first? I'd like to confirm the behavior we saw isn't really a bug, but it's what you intend, where SELinux limits the functionality since /var/satellite was installed after the fact. What would be the steps to enable a NFS mounted /var/satellite after a Sat install? Is setting spacewalk_nfs_mountpoint to 1 enough?
The installer (well, spacewalk-setup) checks that /var/satellite is NFS-mounted during install time, and sets spacewalk_nfs_mountpoint to true if it finds it to be NFS. So yes, the fix post install is to run setsebool. Moving ON_QA per your suggesting.
this is working... no selinux denials [root@grandprix audit]# cat /dev/null > audit.log [root@grandprix tmp]# rhnpush -c westest -d /tmp/ -u admin -p dog8code --server=http://grandprix.rhndev.redhat.com -vvv Uploading files from directory /tmp/ Connecting to http://grandprix.rhndev.redhat.com/APP url is http://grandprix.rhndev.redhat.com/PACKAGE-PUSH Result codes: 200 OK Computing md5sum and package Info .This may take sometime ... Package /tmp/testAutoFile-2-1.0.i386.rpm Not Found on RHN Server -- Uploading Uploading package /tmp/testAutoFile-2-1.0.i386.rpm Using POST request Package /tmp/testAutoFile-1-1.0.i386.rpm Not Found on RHN Server -- Uploading Uploading package /tmp/testAutoFile-1-1.0.i386.rpm Using POST request [root@grandprix tmp]# [root@grandprix audit]# tail -f audit.log ' [root@grandprix audit]# ls
Please add release note: When running with SELinux enabled, if /var/satellite is changed to a NFS mount after initial install, you need to run: "/usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1"
This note has been added to the English Release Notes for 5.3.0. I have put in a request for Glaucia and the Localization team to translate this additional note.
Reassigning to John as this turns to be just documentation bugzilla now.
Verified ISO: Satellite-5.3.0-RHEL5-re20090612.0-i386-embedded-oracle.iso https://rlx-3-22.rhndev.redhat.com/rhn/help/release-notes/satellite/en-US/index.jsp # When using Satellite with SELinux enabled, if /var/satellite/ is changed to an NFS mount after the initial installation, you must run the following command: /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1
verified in stage on xen5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html