Description of problem: cobbler reposync does no longer work, after the server was upgraded from Fedora 12 to Fedora 14 (using preuprade). The root cause is some python class that tries to determine some default value by reading the RPM database, despite the fact that cobbler uses a config file and command options to specify everything reposync should need. Version-Release number of selected component (if applicable): yum-utils-1.1.28-1.fc14 cobbler-2.0.5-2.fc14 selinux-policy-3.9.7-7.fc14.noarch selinux-policy-targeted-3.9.7-7.fc14.noarch How reproducible: Always. Steps to Reproduce: 1. Upgrade a working cobbler installation from Fedora 12 to Fedora 14 2. After reboot into Fedora 14, run "cobbler reposync" 3. Actual results: Command fails to update the repository;the initial messages are: task started: 2010-11-02_174300_reposync task started (id=Reposync, time=Tue Nov 2 17:43:00 2010) hello, reposync run, reposync, run! creating: /var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo running: /usr/bin/reposync -l -m -d -q --config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo --repoid=Fedora-12-i386-updates --download_path=/var/www/cobbler/repo_mirror -a i686 error: cannot open Packages database in /var/lib/rpm Traceback (most recent call last): File "/usr/bin/reposync", line 349, in <module> main() File "/usr/bin/reposync", line 148, in main my.doConfigSetup(fn=opts.config, init_plugins=opts.plugins) File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 226, in doConfigSetup return self.conf File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 831, in <lambda> conf = property(fget=lambda self: self._getConfig(), File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 277, in _getConfig startupconf = config.readStartupConfig(fn, root) File "/usr/lib/python2.7/site-packages/yum/config.py", line 859, in readStartupConfig startupconf.releasever = _getsysver(startupconf.installroot, startupconf.distroverpkg) File "/usr/lib/python2.7/site-packages/yum/config.py", line 1004, in _getsysver raise Errors.YumBaseError("Error: " + str(e)) yum.Errors.YumBaseError: Error: rpmdb open failed returned: 1 Exception occured: <class 'cobbler.cexceptions.CX'> Exception value: 'cobbler reposync failed' (some cobbler exceptions follow) Expected results: Repository should get updated. Additional info: The config file for reposync used by this command, /var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo, contained: [Fedora-12-i386-updates] name=Fedora-12-i386-updates baseurl=http://ftp.uni-kl.de/pub/linux/fedora/linux/updates/12/i386/ enabled=1 priority=99 gpgcheck=0 The access to /var/lib/rpm gets denied by SELinux, with the following AVC entry in /var/log/audit/audit.log: type=AVC msg=audit(1288716182.381:17767): avc: denied { getattr } for pid=15011 comm="reposync" path="/var/lib/rpm" dev=vda7 ino=2097154 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
It looks like selinux won't let cobbler touch the rpmdb. run this as root: /usr/bin/reposync -l -m -d -q \ --config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo \ --repoid=Fedora-12-i386-updates \ --download_path=/var/www/cobbler/repo_mirror -a i686 and also run it as the user cobbler runs out.
(In reply to comment #1) > It looks like selinux won't let cobbler touch the rpmdb. Yes, sure. The AVC entry in the audit.log confirms this. > > run this as root: > /usr/bin/reposync -l -m -d -q \ > --config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo > \ > --repoid=Fedora-12-i386-updates \ > --download_path=/var/www/cobbler/repo_mirror -a i686 > > > and also run it as the user cobbler runs out. Well, I should have noted it in the first place. Running the reposync command as root succeeds. cobblerd runs under UID root and does not change UID when running reposync.
okay - then it seems like this is an selinux issue or a cobbler issue. either: 1. change the selinux policy so cobbler can read the rpmdb or 2. change cobbler so it uses reposync with a yum.conf with a special installroot for the rpmdb.
(In reply to comment #3) > okay - then it seems like this is an selinux issue or a cobbler issue. > > either: > > 1. change the selinux policy so cobbler can read the rpmdb This would be the easier way, but see below. > or > > 2. change cobbler so it uses reposync with a yum.conf with a special > installroot for the rpmdb. This would be rather strange, I think. cobbler itself does not need the local rpmdb. As you can see from the initial report, the rpmdb belongs to Fedora 14, whereas the repo that should get updated, is Fedora 12. The command that tries to use the rpmdb is reposync, and only to set up some default value that is, in fact, not needed. Isn't it possible to delay reading the rpmdb in reposync until the values read from the rpmdb are actually needed?
reposync uses yum. when yum sets up its initial config it reads from the rpmdb looking for completions to the value: $releasever for its configs, etc. File "/usr/lib/python2.7/site-packages/yum/config.py", line 1004, in _getsysver raise Errors.YumBaseError("Error: " + str(e)) yum.Errors.YumBaseError: Error: rpmdb open failed returned: 1 Changing how the config does all that just to work around cobbler not being able to read an rpmdb of some kind seems out of place. cobbler can set its own installroot and always be able to read that. I'm going to reassign to cobbler. thanks
I've gone through trying to craft a modification to the selinux policy for cobbler that would allow reposync to work. I think I've stumbled upon an RPM bug. I modified the selinux policy to allow cobbler to read /var/lib/rpm and its contents. Unfortunately, I still get the error. When you run reposync as a normal user, you get permission denied when trying to write to /var/lib/rpm, but this does not cause a fatal error. When you try the same thing as root and cannot write to /var/lib/rpm, this causes a fatal error. I think it is a valid configuration with selinux for root not to be able to write to some files. I really don't think that I should have to give cobbler write access to /var/lib/rpm to be able to run reposync. I am going to look into having cobbler use its own install root, but my feeling is that that is not the proper solution.
Nod, rpm 4.8.x and older uses access() to determine the rpmdb path writability and access() has no clue of additional SELinux restrictions (and has other issues too). This should be fixed in current upstream, including 4.9.x when released, but backporting would be tricky.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I was able to get 'cobbler reposync' to run in Fedora 15 by applying the module below. In order to see some of the denials I had to run 'semodule -DB' in order to get rid of the dontaudit rules that were being hidden: module cobblerfix 1.1; require { type cobblerd_t; type setroubleshootd_t; type rpm_var_lib_t; type rpm_log_t; type rpm_var_cache_t; class process { signull }; class file { rename setattr read lock create write getattr unlink open }; class dir { search read write getattr remove_name open add_name }; } #============= cobblerd_t ============== allow cobblerd_t rpm_log_t:file open; #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types: # rsync_etc_t, cobbler_tmp_t, var_lib_t, var_log_t, named_zone_t, cobbler_var_lib_t, tmp_t, etc_t, tftpdir_rw_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t allow cobblerd_t rpm_var_cache_t:dir { write search read remove_name open getattr add_name }; #!!!! The source type 'cobblerd_t' can write to a 'file' of the following types: # rsync_etc_t, cobbler_tmp_t, named_zone_t, cobbler_var_lib_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t allow cobblerd_t rpm_var_cache_t:file { rename setattr read lock create write getattr unlink open }; #!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types: # rsync_etc_t, cobbler_tmp_t, var_lib_t, var_log_t, named_zone_t, cobbler_var_lib_t, tmp_t, etc_t, tftpdir_rw_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t allow cobblerd_t rpm_var_lib_t:dir { write remove_name getattr search add_name }; #!!!! The source type 'cobblerd_t' can write to a 'file' of the following types: # rsync_etc_t, cobbler_tmp_t, named_zone_t, cobbler_var_lib_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t allow cobblerd_t rpm_var_lib_t:file { rename read lock create write getattr unlink open }; allow cobblerd_t setroubleshootd_t:process signull;
I believe this issue has been corrected in the most recent release, and with other SELinux policy changes that have been made along the way. I will close this for now, but feel free to create a new ticket referencing this if the problem crops up again.