Hide Forgot
Description of problem: yum repolist fails on the client with a 403 code. Examining the logs on the CDS node, SELinux seems to be the reason. Version-Release number of selected component (if applicable): 2.0.2; rh-rhui-tools-2.0.53-1.el6.noarch.rpm; RHEL-6.2-RHUI-2.0.2-20120203.1-Server-x86_64-DVD1.iso; rhel 6.2 How reproducible: always Steps to Reproduce: 1. install rhui client configuration rpm 2. issue yum repolist 3. a 403 error response prevents yum from fetching repolist 4. CDS: SELinux is preventing httpd from accessing a pulp script Actual results: Error fetching repodata Expected results: Repodata fetched and list of repositories displayed Additional info: # SELinux entry from CDS (/var/log/audit/audit.log): # ================================================== type=AVC msg=audit(1328706343.603:112519): avc: denied { getattr } for pid=17584 comm="httpd" path="/srv/pulp/cds.wsgi" dev=xvde1 ino=28885 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=SYSCALL msg=audit(1328706343.603:112519): arch=c000003e syscall=6 success=no exit=-13 a0=7f0599330698 a1=7fff776e05b0 a2=7fff776e05b0 a3=1 items=0 ppid=17581 pid=17584 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=513 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) # yum repolist output from client: # ================================ [root@ip-10-58-183-22 ~]# yum -v repolist Not loading "rhnplugin" plugin, as it is disabled Not loading "rhui-lb" plugin, as it is disabled Loading "security" plugin Config time: 0.028 Yum Version: 3.2.29 Could not retrieve mirrorlist https://ip-10-226-7-160.eu-west-1.compute.internal/pulp/mirror//content/dist/rhel/rhui/server/6/6Server/x86_64/os error was 14: PYCURL ERROR 22 - "The requested URL returned error: 403" Error: Cannot retrieve repository metadata (repomd.xml) for repository: rhui-rhel-6-rhui-server-rpms. Please verify its path and try again # NOTE: with regard to bz 788181, the rhui-lb plugin was disabled during the scenario
This looks like a CDS server issue. the cds.wsgi script isn't able to run. The label on the cds.wsgi is incorrect. The AVC denial shows it is var_t when it should be httpd_sys_content_t This labeling should be handled on install of the RPM: pulp-selinux-server /srv/pulp/cds.wsgi should have the below context: unconfined_u:object_r:httpd_sys_content_t:s0 cds.wsgi Would you please confirm that the pulp-selinux-server rpm is installed on the CDS?
# Attaching requested package info # ================================ [root@ip-10-226-7-160 ~]# rpm -qi pulp-selinux-server Name : pulp-selinux-server Relocations: (not relocatable) Version : 0.0.263 Vendor: Red Hat, Inc. Release : 5.el6 Build Date: Fri 03 Feb 2012 03:46:25 PM EST Install Date: Mon 06 Feb 2012 06:54:26 AM EST Build Host: x86-002.build.bos.redhat.com Group : Development/Languages Source RPM: pulp-0.0.263-5.el6.src.rpm Size : 128312 License: GPLv2 Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : https://fedorahosted.org/pulp/ Summary : Pulp SELinux policy for server components. Description : SELinux policy for Pulp's server components
I think this issue might be related to: bug 505066 In pulp-selinux-server we added the below # restorcecon wasn't reading new file contexts we added when running under 'post' so moved to 'posttrans' # Spacewalk saw same issue and filed BZ here: https://bugzilla.redhat.com/show_bug.cgi?id=505066 %posttrans if /usr/sbin/selinuxenabled ; then %{_datadir}/pulp/selinux/server/relabel.sh %{_datadir} fi
We have a workaround that will let testing proceed farther. On the CDS run as root: /usr/share/pulp/selinux/server/relabel.sh This will run a restorecon on Pulp's files and label the files. The issue I see with this BZ is that our RPM has a problem with relabeling. I believe it's a sort of timing issue as comment #5 describes. Essentially we install a new selinux module and those new file contexts are not available to our usage from inside the rpm install script.
I ran the above script on both the CDS nodes as root and also restarted the pulp-cds service, but no go. Please let us know if anything else is required.
Please note that a separate volume is being used here for storing the repos /var/lib/pulp-cds [ /dev/xvdl] [root@ip-10-224-1-234 httpd]# grep AVC /var/log/audit/audit.log type=AVC msg=audit(1329217026.638:12967): avc: denied { getattr } for pid=1633 comm="httpd" path="/srv/pulp/cds.wsgi" dev=xvde1 ino=28944 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file type=AVC msg=audit(1329219856.523:13049): avc: denied { write } for pid=1641 comm="httpd" name=".cluster-members-lock" dev=xvdl ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file [root@ip-10-224-1-234 pulp-cds]# ls -Z .cluster-members-lock -rw-r--r--. apache apache unconfined_u:object_r:var_lib_t:s0 .cluster-members-lock [root@ip-10-224-1-234 lib]# ls -Z | grep pulp-cds drwxrwsr-t. apache apache system_u:object_r:var_lib_t:s0 pulp-cds [root@ip-10-224-1-234 lib]# ls -Z /var/lib/pulp-cds drwx------. root root system_u:object_r:file_t:s0 lost+found drwxrwsr-t. apache apache system_u:object_r:var_lib_t:s0 packages drwxrwsr-t. apache apache system_u:object_r:var_lib_t:s0 repos [root@ip-10-224-1-234 lib]# df -h Filesystem Size Used Avail Use% Mounted on /dev/xvde1 5.7G 2.1G 3.6G 37% / none 3.7G 0 3.7G 0% /dev/shm /dev/xvdl 99G 9.3G 85G 10% /var/lib/pulp-cds
Below commit should address the problems. http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=2b56c6bd8073cdca7014bebe1024552f0ffa68b4 Problems were: 1) We weren't running the relabel.sh script for CDS installs 2) We didn't specify a context for /var/lib/pulp-cds This will be in Pulp 0.267
Built into pulp 0.263-7
Verified in RHEL-6.2-RHUI-2.0.2-20120215.0-Server-x86_64-DVD1.iso # Screenlog # ========= [root@ip-10-50-82-54 ~]# cat /etc/yum.repos.d/rh-cloud.repo [rhui-rhel-6-rhui-server-optional-rpms] name=Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI mirrorlist=https://ip-10-54-247-104.eu-west-1.compute.internal/pulp/mirror//content/dist/rhel/rhui/server/6/$releasever/$basearch/optional/os enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslcacert=/etc/pki/entitlement/ca.crt sslclientcert=/etc/pki/entitlement/product/content.crt sslclientkey=/etc/pki/entitlement/key.pem [rhui-rhel-6-rhui-server-rpms] name=Red Hat Enterprise Linux 6 Server (RPMs) from RHUI mirrorlist=https://ip-10-54-247-104.eu-west-1.compute.internal/pulp/mirror//content/dist/rhel/rhui/server/6/$releasever/$basearch/os enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release sslverify=1 sslcacert=/etc/pki/entitlement/ca.crt sslclientcert=/etc/pki/entitlement/product/content.crt sslclientkey=/etc/pki/entitlement/key.pem [root@ip-10-50-82-54 ~]# yum repolist Loaded plugins: rhui-lb, security rhui-rhel-6-rhui-server-optional-rpms | 3.5 kB 00:00 rhui-rhel-6-rhui-server-optional-rpms/primary_db | 1.8 MB 00:00 rhui-rhel-6-rhui-server-rpms | 3.7 kB 00:00 rhui-rhel-6-rhui-server-rpms/primary_db | 11 MB 00:00 repo id repo name status rhui-rhel-6-rhui-server-optional-rpms Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI 4,274 rhui-rhel-6-rhui-server-rpms Red Hat Enterprise Linux 6 Server (RPMs) from RHUI 6,857 repolist: 11,131
*** Bug 788181 has been marked as a duplicate of this bug. ***
Released in RHUI 2.0.2