Bug 487380 - SELinux rhnpush failure [Errno 17] File exists: '/var/satellite'
SELinux rhnpush failure [Errno 17] File exists: '/var/satellite'
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Documentation (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: John Ha
John Matthews
: Documentation
Depends On:
Blocks: 456995 457079
  Show dependency treegraph
 
Reported: 2009-02-25 13:35 EST by John Matthews
Modified: 2014-08-04 18:18 EDT (History)
5 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Matthews 2009-02-25 13:35:03 EST
Description of problem:

Attempting a rhnpush on satellite and receiving this error:

Internal server error 500 Internal Server Error
Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message:
    Package upload failed: [Errno 17] File exists: '/var/satellite'
Error Class Code: 50
Error Class Info: Invalid information uploaded to the server (500)


Version-Release number of selected component (if applicable):
ISO: Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso
Installed using QA's install-sat.sh to call the sat installer

How reproducible:
Always

Steps to Reproduce:
1. selinux is in enforcing
2. nevra is enabled (prob not needed, but that's the setup I'm testing)
3. attempt rhnpush
4. see error
5. setenforce 0
6. re-push and it succeeds

Actual results:
[ ~]# rhnpush -c centoslabel -d centosPkgs -u username -p password --server satellite.hostname.com -vvv   
Uploading files from directory centosPkgs
Connecting to http://satellite.hostname.com/APP
url is http://satellite.hostname.com/PACKAGE-PUSH
Result codes: 200 OK
Computing md5sum and package Info .This may take sometime ...
Package /root/centosPkgs/procinfo-18-19.i386.rpm Not Found on RHN Server -- Uploading
Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm
Using POST request
Internal server error 500 Internal Server Error
Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message:
    Package upload failed: [Errno 17] File exists: '/var/satellite'
Error Class Code: 50
Error Class Info: Invalid information uploaded to the server (500)
1
Waiting 1 seconds and trying again...
Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm
Using POST request
Internal server error 500 Internal Server Error
Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message:
    Package upload failed: [Errno 17] File exists: '/var/satellite'
Error Class Code: 50
Error Class Info: Invalid information uploaded to the server (500)
1
Waiting 4 seconds and trying again...
Uploading package /root/centosPkgs/procinfo-18-19.i386.rpm
Using POST request
Internal server error 500 Internal Server Error
Error pushing /root/centosPkgs/procinfo-18-19.i386.rpm: Error 500Error Message:
    Package upload failed: [Errno 17] File exists: '/var/satellite'
Error Class Code: 50
Error Class Info: Invalid information uploaded to the server (500)
1
Waiting 5 seconds and trying again...
Giving up after 3 attempts



Expected results:
it pushes package

Additional info:

snippet from /var/log/audit/audit.log

type=SYSCALL msg=audit(1235583229.599:1798): arch=40000003 syscall=195 success=no exit=-13 a0=b27ff40 a1=bfa474a8 a2=3acff4 a3=b139c20 items=0 ppid=2633 pid=2648 auid=0 uid=48 gid
=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=USER_ACCT msg=audit(1235583905.198:1799): user pid=3170 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="nocpulse" : exe="/usr/s
bin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1235583905.391:1800): user pid=3170 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="nocpulse" : exe="/usr/sbin/
crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1235583905.391:1801): login pid=3170 uid=0 old auid=4294967295 new auid=103 old ses=4294967295 new ses=264
type=USER_START msg=audit(1235583906.689:1802): user pid=3170 uid=0 auid=103 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="nocpulse" : exe="/usr/sbin/
crond" (hostname=?, addr=?, terminal=cron res=success)'
type=MAC_STATUS msg=audit(1235584549.656:1803): enforcing=0 old_enforcing=1 auid=0 ses=244
type=SYSCALL msg=audit(1235584549.656:1803): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfb4ed44 a2=1 a3=bfb4ed44 items=0 ppid=492 pid=3252 auid=0 uid=0 gid=0 euid=0 suid=
0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=244 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1235584549.673:1804): user pid=1671 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received setenforce notice (enforcing=0) : e
xe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1235584600.494:1805): avc:  denied  { search } for  pid=2645 comm="httpd" name="" dev=0:18 ino=25871573 scontext=root:system_r:httpd_t:s0 tcontext=system_u:obje
ct_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1235584600.494:1805): arch=40000003 syscall=195 success=no exit=-2 a0=b2d0798 a1=bfa48468 a2=3acff4 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=
48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1235584600.566:1806): avc:  denied  { getattr } for  pid=2645 comm="httpd" path="/var/satellite/redhat/1/26e" dev=0:18 ino=29229274 scontext=root:system_r:httpd
_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1235584600.566:1806): arch=40000003 syscall=195 success=yes exit=0 a0=b10b630 a1=bfa47b68 a2=3acff4 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=
48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1235584600.566:1807): avc:  denied  { write } for  pid=2645 comm="httpd" name="26e" dev=0:18 ino=29229274 scontext=root:system_r:httpd_t:s0 tcontext=system_u:ob
ject_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1235584600.566:1807): avc:  denied  { add_name } for  pid=2645 comm="httpd" name="openmpi" scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0
 tclass=dir
type=AVC msg=audit(1235584600.566:1807): avc:  denied  { create } for  pid=2645 comm="httpd" name="openmpi" scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:nfs_t:s0 tclas
s=dir
type=SYSCALL msg=audit(1235584600.566:1807): arch=40000003 syscall=39 success=yes exit=0 a0=b10b630 a1=1ff a2=96028e4 a3=b32a0bcc items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 e
uid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1235584600.595:1808): avc:  denied  { create } for  pid=2645 comm="httpd" name="openmpi-1.2.8-3.el4.i386.rpm" scontext=root:system_r:httpd_t:s0 tcontext=root:ob
ject_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1235584600.595:1808): arch=40000003 syscall=5 success=yes exit=27 a0=b2c52d8 a1=8241 a2=1ff a3=8241 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 euid=48 
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1235584600.620:1809): avc:  denied  { write } for  pid=2645 comm="httpd" path="/var/satellite/redhat/1/26e/openmpi/1.2.8-3.el4/i386/26e873e785d947c719792ac500c0
75f1/openmpi-1.2.8-3.el4.i386.rpm" dev=0:18 ino=95240237 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1235584600.620:1809): arch=40000003 syscall=4 success=yes exit=65536 a0=1b a1=b2ec4dc a2=10000 a3=b047908 items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 eu
id=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1235584600.636:1810): avc:  denied  { setattr } for  pid=2645 comm="httpd" name="openmpi-1.2.8-3.el4.i386.rpm" dev=0:18 ino=95240237 scontext=root:system_r:http
d_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=SYSCALL msg=audit(1235584600.636:1810): arch=40000003 syscall=15 success=yes exit=0 a0=b2d0798 a1=1a4 a2=96028e4 a3=b32a0bcc items=0 ppid=2633 pid=2645 auid=0 uid=48 gid=48 e
uid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=244 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
Comment 1 Jan Pazdziora 2009-02-25 14:17:48 EST
Please

- confirm that /var/satellite is a NFS mount;
- show me the output of ls -lZ /var/satellite;
- show me the output of /usr/sbin/getsebool spacewalk_nfs_mountpoint;

Thank you, Jan
Comment 2 John Matthews 2009-02-25 14:28:10 EST
Yes, /var/satellite is a NFS mount
dump-new:/vol/rhndevqaV2 on /var/satellite type nfs (rw,addr=x.x.x.x)


[root@rlx-3-22 ~]# ls -lZ /var/satellite/
drwxr-xr-x  apache root system_u:object_r:nfs_t          redhat
drwxr-xr-x  apache root system_u:object_r:nfs_t          rhn

/usr/sbin/getsebool spacewalk_nfs_mountpoint;
spacewalk_nfs_mountpoint --> off
Comment 3 Jan Pazdziora 2009-02-26 03:46:02 EST
Good. Now, was the Satellite installed via ./install.pl, with SELinux enabled, and was /var/satellite NFS-mounted at the time when the installer was run? Because we have code in /usr/bin/spacewalk-setup (which gets called by ./install.pl) which does

  /usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1

when it sees that /var/satellite or paths under it are nfs_t mounted.

So in your case, the spacewalk_nfs_mountpoint boolean should have been set to on. Is there somethine suspicious in rhn-installation.log, perhaps?
Comment 4 John Matthews 2009-02-26 10:27:54 EST
This makes sense.

The script I'm using does the install, then after that it mounts /var/satellite over NFS.

QA has modified the script, so the mounting of /var/satellite now happens prior to install being called.
Comment 5 John Matthews 2009-02-26 10:28:51 EST
Jan,

Does it make sense to put this bug to ON_QA and we'll retest with NFS mounted first?  

I'd like to confirm the behavior we saw isn't really a bug, but it's what you intend, where SELinux limits the functionality since /var/satellite was installed after the fact.

What would be the steps to enable a NFS mounted /var/satellite after a Sat install?  Is setting spacewalk_nfs_mountpoint to 1 enough?
Comment 6 Jan Pazdziora 2009-02-26 10:57:01 EST
The installer (well, spacewalk-setup) checks that /var/satellite is NFS-mounted during install time, and sets spacewalk_nfs_mountpoint to true if it finds it to be NFS. So yes, the fix post install is to run setsebool.

Moving ON_QA per your suggesting.
Comment 7 wes hayutin 2009-03-03 13:07:10 EST
this is working...

no selinux denials

[root@grandprix audit]# cat /dev/null > audit.log 

[root@grandprix tmp]# rhnpush -c westest -d /tmp/ -u admin -p dog8code --server=http://grandprix.rhndev.redhat.com -vvv
Uploading files from directory /tmp/
Connecting to http://grandprix.rhndev.redhat.com/APP
url is http://grandprix.rhndev.redhat.com/PACKAGE-PUSH
Result codes: 200 OK
Computing md5sum and package Info .This may take sometime ...
Package /tmp/testAutoFile-2-1.0.i386.rpm Not Found on RHN Server -- Uploading
Uploading package /tmp/testAutoFile-2-1.0.i386.rpm
Using POST request
Package /tmp/testAutoFile-1-1.0.i386.rpm Not Found on RHN Server -- Uploading
Uploading package /tmp/testAutoFile-1-1.0.i386.rpm
Using POST request
[root@grandprix tmp]# 



[root@grandprix audit]# tail -f audit.log 
'




[root@grandprix audit]# ls
Comment 8 John Matthews 2009-03-04 16:44:30 EST
Please add release note: 

When running with SELinux enabled, if /var/satellite is changed to a NFS mount after initial install, you need to run:
 "/usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1"
Comment 9 John Ha 2009-03-05 18:12:15 EST
This note has been added to the English Release Notes for 5.3.0. I have put in a request for Glaucia and the Localization team to translate this additional note.
Comment 10 Jan Pazdziora 2009-03-09 08:54:57 EDT
Reassigning to John as this turns to be just documentation bugzilla now.
Comment 12 John Matthews 2009-06-16 09:46:56 EDT
Verified
ISO: Satellite-5.3.0-RHEL5-re20090612.0-i386-embedded-oracle.iso

https://rlx-3-22.rhndev.redhat.com/rhn/help/release-notes/satellite/en-US/index.jsp

#

When using Satellite with SELinux enabled, if /var/satellite/ is changed to an NFS mount after the initial installation, you must run the following command:

/usr/sbin/setsebool -P spacewalk_nfs_mountpoint 1
Comment 13 Miroslav Suchý 2009-08-24 06:08:31 EDT
verified in stage on xen5
Comment 14 Brandon Perkins 2009-09-10 15:12:13 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.