Bug 648988 - reposync does no longer work after upgrade to Fedora 14 when used by cobbler
reposync does no longer work after upgrade to Fedora 14 when used by cobbler
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: cobbler (Show other bugs)
14
Unspecified Linux
low Severity medium
: ---
: ---
Assigned To: James C.
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-02 13:01 EDT by Robert Vogelgesang
Modified: 2014-01-21 18:16 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-06 09:44:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Vogelgesang 2010-11-02 13:01:32 EDT
Description of problem:
cobbler reposync does no longer work, after the server was upgraded from Fedora 12 to Fedora 14 (using preuprade).  The root cause is some python class that tries to determine some default value by reading the RPM database, despite the fact that cobbler uses a config file and command options to specify everything reposync should need.

Version-Release number of selected component (if applicable):
yum-utils-1.1.28-1.fc14
cobbler-2.0.5-2.fc14
selinux-policy-3.9.7-7.fc14.noarch
selinux-policy-targeted-3.9.7-7.fc14.noarch

How reproducible:
Always.

Steps to Reproduce:
1. Upgrade a working cobbler installation from Fedora 12 to Fedora 14
2. After reboot into Fedora 14, run "cobbler reposync"
3.
  
Actual results:
Command fails to update the repository;the initial messages are:
task started: 2010-11-02_174300_reposync
task started (id=Reposync, time=Tue Nov  2 17:43:00 2010)
hello, reposync
run, reposync, run!
creating: /var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo
running: /usr/bin/reposync -l -m -d -q --config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo --repoid=Fedora-12-i386-updates --download_path=/var/www/cobbler/repo_mirror -a i686
error: cannot open Packages database in /var/lib/rpm
Traceback (most recent call last):
  File "/usr/bin/reposync", line 349, in <module>
    main()
  File "/usr/bin/reposync", line 148, in main
    my.doConfigSetup(fn=opts.config, init_plugins=opts.plugins)
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 226, in doConfigSetup
    return self.conf
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 831, in <lambda>
    conf = property(fget=lambda self: self._getConfig(),
  File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 277, in _getConfig
    startupconf = config.readStartupConfig(fn, root)
  File "/usr/lib/python2.7/site-packages/yum/config.py", line 859, in readStartupConfig
    startupconf.releasever = _getsysver(startupconf.installroot, startupconf.distroverpkg)
  File "/usr/lib/python2.7/site-packages/yum/config.py", line 1004, in _getsysver
    raise Errors.YumBaseError("Error: " + str(e))
yum.Errors.YumBaseError: Error: rpmdb open failed
returned: 1
Exception occured: <class 'cobbler.cexceptions.CX'>
Exception value: 'cobbler reposync failed'
(some cobbler exceptions follow)

Expected results:
Repository should get updated.

Additional info:
The config file for reposync used by this command, /var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo, contained:
[Fedora-12-i386-updates]
name=Fedora-12-i386-updates
baseurl=http://ftp.uni-kl.de/pub/linux/fedora/linux/updates/12/i386/
enabled=1
priority=99
gpgcheck=0

The access to /var/lib/rpm gets denied by SELinux, with the following AVC entry in /var/log/audit/audit.log:
type=AVC msg=audit(1288716182.381:17767): avc:  denied  { getattr } for  pid=15011 comm="reposync" path="/var/lib/rpm" dev=vda7 ino=2097154 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir
Comment 1 seth vidal 2010-11-02 13:18:36 EDT
It looks like selinux won't let cobbler touch the rpmdb.

run this as root:
/usr/bin/reposync -l -m -d -q \
--config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo \
--repoid=Fedora-12-i386-updates \
--download_path=/var/www/cobbler/repo_mirror -a i686


and also run it as the user cobbler runs out.
Comment 2 Robert Vogelgesang 2010-11-02 13:33:46 EDT
(In reply to comment #1)
> It looks like selinux won't let cobbler touch the rpmdb.

Yes, sure.  The AVC entry in the audit.log confirms this.

> 
> run this as root:
> /usr/bin/reposync -l -m -d -q \
> --config=/var/www/cobbler/repo_mirror/Fedora-12-i386-updates/.origin/Fedora-12-i386-updates.repo
> \
> --repoid=Fedora-12-i386-updates \
> --download_path=/var/www/cobbler/repo_mirror -a i686
> 
> 
> and also run it as the user cobbler runs out.

Well, I should have noted it in the first place.  Running the reposync command as root succeeds.  cobblerd runs under UID root and does not change UID when running reposync.
Comment 3 seth vidal 2010-11-02 13:44:56 EDT
okay - then it seems like this is an selinux issue or a cobbler issue.

either:

1. change the selinux policy so cobbler can read the rpmdb
or

2. change cobbler so it uses reposync with a yum.conf with a special installroot for the rpmdb.
Comment 4 Robert Vogelgesang 2010-11-02 14:06:08 EDT
(In reply to comment #3)
> okay - then it seems like this is an selinux issue or a cobbler issue.
> 
> either:
> 
> 1. change the selinux policy so cobbler can read the rpmdb

This would be the easier way, but see below.
 
> or
> 
> 2. change cobbler so it uses reposync with a yum.conf with a special
> installroot for the rpmdb.

This would be rather strange, I think.

cobbler itself does not need the local rpmdb.  As you can see from the initial report, the rpmdb belongs to Fedora 14, whereas the repo that should get updated, is Fedora 12.  The command that tries to use the rpmdb is reposync, and only to set up some default value that is, in fact, not needed.  

Isn't it possible to delay reading the rpmdb in reposync until the values read from the rpmdb are actually needed?
Comment 5 seth vidal 2010-11-02 14:15:56 EDT
reposync uses yum.

when yum sets up its initial config it reads from the rpmdb looking for completions to the value: $releasever for its configs, etc.

File "/usr/lib/python2.7/site-packages/yum/config.py", line 1004, in
_getsysver
    raise Errors.YumBaseError("Error: " + str(e))
yum.Errors.YumBaseError: Error: rpmdb open failed
returned: 1


Changing how the config does all that just to work around cobbler not being able to read an rpmdb of some kind seems out of place.

cobbler can set its own installroot and always be able to read that.


I'm going to reassign to cobbler.

thanks
Comment 6 Scott J Henson 2010-12-24 23:20:46 EST
I've gone through trying to craft a modification to the selinux policy for cobbler that would allow reposync to work.  I think I've stumbled upon an RPM bug.  I modified the selinux policy to allow cobbler to read /var/lib/rpm and its contents.  Unfortunately, I still get the error.  

When you run reposync as a normal user, you get permission denied when trying to write to /var/lib/rpm, but this does not cause a fatal error.  When you try the same thing as root and cannot write to /var/lib/rpm, this causes a fatal error.

I think it is a valid configuration with selinux for root not to be able to write to some files.  I really don't think that I should have to give cobbler write access to /var/lib/rpm to be able to run reposync.

I am going to look into having cobbler use its own install root, but my feeling is that that is not the proper solution.
Comment 7 Panu Matilainen 2011-01-03 03:00:37 EST
Nod, rpm 4.8.x and older uses access() to determine the rpmdb path writability and access() has no clue of additional SELinux restrictions (and has other issues too). This should be fixed in current upstream, including 4.9.x when released, but backporting would be tricky.
Comment 8 Fedora Admin XMLRPC Client 2011-01-03 09:34:07 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Jason Montleon 2011-06-26 19:01:46 EDT
I was able to get 'cobbler reposync' to run in Fedora 15 by applying the module below. In order to see some of the denials I had to run 'semodule -DB' in order to get rid of the dontaudit rules that were being hidden:

module cobblerfix 1.1;

require {
        type cobblerd_t;
        type setroubleshootd_t;
        type rpm_var_lib_t;
        type rpm_log_t;
        type rpm_var_cache_t;
        class process { signull };
        class file { rename setattr read lock create write getattr unlink open };
        class dir { search read write getattr remove_name open add_name };
}

#============= cobblerd_t ==============
allow cobblerd_t rpm_log_t:file open;
#!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
# rsync_etc_t, cobbler_tmp_t, var_lib_t, var_log_t, named_zone_t, cobbler_var_lib_t, tmp_t, etc_t, tftpdir_rw_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t

allow cobblerd_t rpm_var_cache_t:dir { write search read remove_name open getattr add_name };
#!!!! The source type 'cobblerd_t' can write to a 'file' of the following types:
# rsync_etc_t, cobbler_tmp_t, named_zone_t, cobbler_var_lib_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t

allow cobblerd_t rpm_var_cache_t:file { rename setattr read lock create write getattr unlink open };
#!!!! The source type 'cobblerd_t' can write to a 'dir' of the following types:
# rsync_etc_t, cobbler_tmp_t, var_lib_t, var_log_t, named_zone_t, cobbler_var_lib_t, tmp_t, etc_t, tftpdir_rw_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t

allow cobblerd_t rpm_var_lib_t:dir { write remove_name getattr search add_name };
#!!!! The source type 'cobblerd_t' can write to a 'file' of the following types:
# rsync_etc_t, cobbler_tmp_t, named_zone_t, cobbler_var_lib_t, httpd_cobbler_rw_content_t, root_t, public_content_rw_t

allow cobblerd_t rpm_var_lib_t:file { rename read lock create write getattr unlink open };
allow cobblerd_t setroubleshootd_t:process signull;
Comment 10 James C. 2012-06-06 09:44:59 EDT
I believe this issue has been corrected in the most recent release, and with other SELinux policy changes that have been made along the way. I will close this for now, but feel free to create a new ticket referencing this if the problem crops up again.

Note You need to log in before you can comment on or make changes to this bug.