Created attachment 564934 [details] logs from grinder.log pulp.log var_log_messages audit.log Description of problem: Didn't observe these earlier with the 20120215 build, But found with RHEL-6.2-RHUI-2.0.2-20120221.0-Server-x86_64-DVD1.iso [root@ip-10-36-119-102 audit]# grep AVC * type=AVC msg=audit(1329899723.444:13185): avc: denied { search } for pid=2840 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329899723.445:13186): avc: denied { getattr } for pid=2840 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.243:13229): avc: denied { search } for pid=3333 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329903332.244:13230): avc: denied { getattr } for pid=3333 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13243): avc: denied { search } for pid=30837 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir type=AVC msg=audit(1329904708.486:13244): avc: denied { getattr } for pid=30837 comm="genpkgmetadata." path="/var/lib/rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
I've done some preliminary investigation on this. The timestamps from the AVC's in audit.log are from 4:35 AM EST: type=AVC msg=audit(1329903332.243:13229): avc: denied { search } for pid=3333 comm="genpkgmetadata." name="rpm" dev=xvde1 ino=18 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir /home/jslagle/Downloads/788574/logs $ date -ud @1329903332 +"%c %z" Wed 22 Feb 2012 09:35:32 AM UTC +0000 And, looking in pulp.log at this same time, we can see this corresponds to the repo metadata generation for a custom repo: 2012-02-22 04:35:10,418 2393:140418937235200: pulp.repo_auth.repo_cert_utils:INFO: repo_cert_utils:589 Storing repo cert file [/etc/pki/pulp/content/custom_2/consumer-custom_2.ca] 2012-02-22 04:35:10,419 2393:140418937235200: pulp.repo_auth.repo_cert_utils:INFO: repo_cert_utils:589 Storing repo cert file [/etc/pki/pulp/content/custom_2/consumer-custom_2.cert] 2012-02-22 04:35:10,443 2393:140418937235200: pulp.server.util:INFO: util:499 started repo metadata update: ['createrepo', '--database', '--checksum', 'sha256', '--update', '/var/lib/pulp//repos/custom_2'] 2012-02-22 04:35:10,966 2393:140418937235200: pulp.server.util:INFO: util:550 createrepo on /var/lib/pulp//repos/custom_2 finished 2012-02-22 04:35:10,966 2393:140418937235200: pulp.server.util:INFO: util:552 Nothing further to check; we got our fresh metadata I was able to reproduce this AVC easily. Seems to occur everytime repo metadata is generated for a custom repository. However, I'm not seeing any errors that result from the AVC.
Cherry-picked below commit to RHUI branch http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=78ac0f839e83064d837d7512f9f6ec76b7facd90
Similar to bz 784280
package included in new iso: http://download.lab.bos.redhat.com/devel/candidates/RHEL-6.2-RHUI-2.0.2-20120222.0/2.0.2/Server/x86_64/iso/RHEL-6.2-RHUI-2.0.2-20120222.0-Server-x86_64-DVD1.iso
No issues related to /var/lib/rpm or rpm with new build , during custom repo creation ------------------------------------------------------------------------------ rhui (repo) => c Unique ID for the custom repository (alphanumerics, _, and - only): custom5 Display name for the custom repository [custom5]: misc Path at which the repository will be served [custom5]: /custom_5/x86_64/misc Algorithm to use when calculating the checksum values for repository metadata: 1 - sha256 2 - sha1 Enter value (1-2) or 'b' to abort: 1 Should the repository require an entitlement certificate to access? (y/n) y Based on the repository's relative path, the suggested entitlement path is: /custom_5/$basearch/misc Path that should be used when granting an entitlement for this repository. This may use yum variable substitutions (e.g. $basearch) to group this together with other repositories that share the entitlement [/custom_5/$basearch/misc]: The following repository will be created: ID: custom5 Name: misc Path: /custom_5/x86_64/misc Entitlement: /custom_5/$basearch/misc Proceed? (y/n) y Successfully created repository misc ------------------------------------------------------------------------------ rhui (repo) => u Select the repositories to upload the package into: - 1 : misc Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1 Select the repositories to upload the package into: x 1 : misc Enter value (1-1) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Enter the location of the packages to upload. If the location is an RPM, the file will be uploaded. If the location is a directory, all RPMs in that directory will be uploaded: /tmp/ The following RPMs will be uploaded: ec2-api-tools-1.3.53907-3.fc14.noarch.rpm exfat-utils-0.9.5-1.fc14.x86_64.rpm fuse-exfat-0.9.5-1.fc14.x86_64.rpm adobe-release-x86_64-1.0-1.noarch.rpm Proceed? (y/n) y Uploading /tmp/ec2-api-tools-1.3.53907-3.fc14.noarch.rpm... Uploading /tmp/exfat-utils-0.9.5-1.fc14.x86_64.rpm... Uploading /tmp/fuse-exfat-0.9.5-1.fc14.x86_64.rpm... Uploading /tmp/adobe-release-x86_64-1.0-1.noarch.rpm... ------------------------------------------------------------------------------ rhui (repo) => home -= CDS Synchronization Status =- Last Refreshed: 04:32:18 (updated every 5 seconds, ctrl+c to exit) CDS1_50_75 .................................................. [ UP ] CDS2_27_41 .................................................. [ UP ] Next Sync Last Sync Last Result ------------------------------------------------------------------------------ CDS1_50_75 02-24-2012 10:09 02-24-2012 04:22 Success CDS2_27_41 02-24-2012 07:44 02-24-2012 04:22 Success Connected: ip-10-98-9-150.ec2.internal ------------------------------------------------------------------------------ ^Crhui (sync) => sc Select one or more CDS instances to schedule to be synchronized before its scheduled time. The sync will happen as soon as possible depending on other tasks that may be executing in the RHUI. Only CDS instances that are not currently synchronizing are displayed. Last Result Next Sync CDS ------------------------------------------ - 1 : Success 02-24-2012 10:09 CDS1_50_75 - 2 : Success 02-24-2012 07:44 CDS2_27_41 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1-2 Select one or more CDS instances to schedule to be synchronized before its scheduled time. The sync will happen as soon as possible depending on other tasks that may be executing in the RHUI. Only CDS instances that are not currently synchronizing are displayed. Last Result Next Sync CDS ------------------------------------------ x 1 : Success 02-24-2012 10:09 CDS1_50_75 x 2 : Success 02-24-2012 07:44 CDS2_27_41 Enter value (1-2) to toggle selection, 'c' to confirm selections, or '?' for more commands: c The following CDS instances will be scheduled for synchronization: CDS1_50_75 CDS2_27_41 Proceed? (y/n) y Scheduling sync for CDS1_50_75... ... successfully scheduled for the next available timeslot. Scheduling sync for CDS2_27_41... ... successfully scheduled for the next available timeslot. ------------------------------------------------------------------------------ rhui (sync) => dc ------------------------------------------------------------------------------ -= Red Hat Update Infrastructure Management Tool =- -= CDS Synchronization Status =- Last Refreshed: 04:32:31 (updated every 5 seconds, ctrl+c to exit) CDS1_50_75 .................................................. [ UP ] CDS2_27_41 .................................................. [ UP ] Next Sync Last Sync Last Result ------------------------------------------------------------------------------ CDS1_50_75 In Progress 02-24-2012 04:22 Success CDS2_27_41 In Progress 02-24-2012 04:22 Success Connected: ip-10-98-9-150.ec2.internal ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ -= Red Hat Update Infrastructure Management Tool =- -= Client Entitlement Management =- e generate an entitlement certificate c create a client configuration RPM from an entitlement certificate Connected: ip-10-98-9-150.ec2.internal ------------------------------------------------------------------------------ rhui (client) => e Select one or more repositories to include in the entitlement certificate: (an * next to a Red Hat repository indicates it is deployed in the RHUI) Custom Repositories - 1 : /custom_5/$basearch/misc misc Red Hat Repositories - 2 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Debug RPMs) from RHUI - 3 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (RPMs) from RHUI - 4 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Source RPMs) from RHUI - 5 : Red Hat Enterprise Linux 5 Server - Supplementary (Debug RPMs) from RHUI - 6 : Red Hat Enterprise Linux 5 Server - Supplementary (RPMs) from RHUI - 7 : Red Hat Enterprise Linux 5 Server - Supplementary (Source RPMs) from RHUI - 8 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (Debug RPMs) from RHUI - 9 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (RPMs) from RHUI - 10: Red Hat Enterprise Linux 5 Server - Supplementary Beta (Source RPMs) from RHUI - 11: Red Hat Enterprise Linux 5 Server Beta from RHUI (Debug RPMs) - 12: Red Hat Enterprise Linux 5 Server Beta from RHUI (RPMs) - 13: Red Hat Enterprise Linux 5 Server Beta from RHUI (Source RPMs) - 14: Red Hat Enterprise Linux 5 Server from RHUI (Debug RPMs) - 15: Red Hat Enterprise Linux 5 Server from RHUI (RPMs) - 16: Red Hat Enterprise Linux 5 Server from RHUI (Source RPMs) - 17: Red Hat Enterprise Linux 6 Server (Debug RPMs) from RHUI - 18: Red Hat Enterprise Linux 6 Server (RPMs) from RHUI * - 19: Red Hat Enterprise Linux 6 Server (Source RPMs) from RHUI - 20: Red Hat Enterprise Linux 6 Server - Optional (Debug RPMs) from RHUI - 21: Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI - 22: Red Hat Enterprise Linux 6 Server - Optional (Source RPMs) from RHUI - 23: Red Hat Enterprise Linux 6 Server - Optional Beta (Source RPMs) from RHUI - 24: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI (RPMs) - 25: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI(Debug RPMs) - 26: Red Hat Enterprise Linux 6 Server - Supplementary (Debug RPMs) from RHUI - 27: Red Hat Enterprise Linux 6 Server - Supplementary (RPMs) from RHUI - 28: Red Hat Enterprise Linux 6 Server - Supplementary (Source RPMs) from RHUI - 29: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Debug RPMs) from RHUI - 30: Red Hat Enterprise Linux 6 Server - Supplementary Beta (RPMs) from RHUI - 31: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Source RPMs) from RHUI - 32: Red Hat Enterprise Linux 6 Server Beta (Source RPMs) from RHUI - 33: Red Hat Enterprise Linux 6 Server Beta from RHUI (Debug RPMs) - 34: Red Hat Enterprise Linux 6 Server Beta from RHUI (RPMs) - 35: Red Hat Update Infrastructure 1.2 (Debug RPMs) - 36: Red Hat Update Infrastructure 1.2 (RPMs) - 37: Red Hat Update Infrastructure 1.2 (Source RPMs) - 38: Red Hat Update Infrastructure 2.0 (Debug RPMs) - 39: Red Hat Update Infrastructure 2.0 (RPMs) * - 40: Red Hat Update Infrastructure 2.0 (Source RPMs) Enter value (1-40) to toggle selection, 'c' to confirm selections, or '?' for more commands: 1 Select one or more repositories to include in the entitlement certificate: (an * next to a Red Hat repository indicates it is deployed in the RHUI) Custom Repositories x 1 : /custom_5/$basearch/misc misc Red Hat Repositories - 2 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Debug RPMs) from RHUI - 3 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (RPMs) from RHUI - 4 : Red Hat Enterprise Linux 5 Server - Optional Productivity Applications (Source RPMs) from RHUI - 5 : Red Hat Enterprise Linux 5 Server - Supplementary (Debug RPMs) from RHUI - 6 : Red Hat Enterprise Linux 5 Server - Supplementary (RPMs) from RHUI - 7 : Red Hat Enterprise Linux 5 Server - Supplementary (Source RPMs) from RHUI - 8 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (Debug RPMs) from RHUI - 9 : Red Hat Enterprise Linux 5 Server - Supplementary Beta (RPMs) from RHUI - 10: Red Hat Enterprise Linux 5 Server - Supplementary Beta (Source RPMs) from RHUI - 11: Red Hat Enterprise Linux 5 Server Beta from RHUI (Debug RPMs) - 12: Red Hat Enterprise Linux 5 Server Beta from RHUI (RPMs) - 13: Red Hat Enterprise Linux 5 Server Beta from RHUI (Source RPMs) - 14: Red Hat Enterprise Linux 5 Server from RHUI (Debug RPMs) - 15: Red Hat Enterprise Linux 5 Server from RHUI (RPMs) - 16: Red Hat Enterprise Linux 5 Server from RHUI (Source RPMs) - 17: Red Hat Enterprise Linux 6 Server (Debug RPMs) from RHUI - 18: Red Hat Enterprise Linux 6 Server (RPMs) from RHUI * - 19: Red Hat Enterprise Linux 6 Server (Source RPMs) from RHUI - 20: Red Hat Enterprise Linux 6 Server - Optional (Debug RPMs) from RHUI - 21: Red Hat Enterprise Linux 6 Server - Optional (RPMs) from RHUI - 22: Red Hat Enterprise Linux 6 Server - Optional (Source RPMs) from RHUI - 23: Red Hat Enterprise Linux 6 Server - Optional Beta (Source RPMs) from RHUI - 24: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI (RPMs) - 25: Red Hat Enterprise Linux 6 Server - Optional Beta from RHUI(Debug RPMs) - 26: Red Hat Enterprise Linux 6 Server - Supplementary (Debug RPMs) from RHUI - 27: Red Hat Enterprise Linux 6 Server - Supplementary (RPMs) from RHUI - 28: Red Hat Enterprise Linux 6 Server - Supplementary (Source RPMs) from RHUI - 29: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Debug RPMs) from RHUI - 30: Red Hat Enterprise Linux 6 Server - Supplementary Beta (RPMs) from RHUI - 31: Red Hat Enterprise Linux 6 Server - Supplementary Beta (Source RPMs) from RHUI - 32: Red Hat Enterprise Linux 6 Server Beta (Source RPMs) from RHUI - 33: Red Hat Enterprise Linux 6 Server Beta from RHUI (Debug RPMs) - 34: Red Hat Enterprise Linux 6 Server Beta from RHUI (RPMs) - 35: Red Hat Update Infrastructure 1.2 (Debug RPMs) - 36: Red Hat Update Infrastructure 1.2 (RPMs) - 37: Red Hat Update Infrastructure 1.2 (Source RPMs) - 38: Red Hat Update Infrastructure 2.0 (Debug RPMs) - 39: Red Hat Update Infrastructure 2.0 (RPMs) * - 40: Red Hat Update Infrastructure 2.0 (Source RPMs) Enter value (1-40) to toggle selection, 'c' to confirm selections, or '?' for more commands: c Name of the certificate. This will be used as the name of the certificate file (name.crt) and its associated private key (name.key). Choose something that will help identify the products contained with it: rh-rhui-custom Local directory in which to save the generated certificate [current directory]: /root/ Number of days the certificate should be valid [365]: 365 Repositories to be included in the entitlement certificate: Custom Entitlements /custom_5/$basearch/misc Proceed? (y/n) y ......+++ ........................+++ Entitlement certificate created at /root/rh-rhui-custom.crt ------------------------------------------------------------------------------ rhui (client) => c Full path to local directory in which the client configuration files generated by this tool should be stored (if this directory does not exist, it will be created): /root Name of the RPM: rh-rhui-custom Version of the configuration RPM [2.0]: 2.4 Full path to the entitlement certificate authorizing the client to access specific channels: /root/rh-rhui-custom.crt Full path to the private key for the above entitlement certificate: /root/rh-rhui-custom.key Full path to the CA certificate or CA chain used to sign the CDS SSL certificate: /root/gen_certs/ca1.crt Select the CDS instance that should be the primary load balancer for the client. All other CDS instances will be listed as back up load balancers in the client's mirror list: 1 - ip-10-12-50-75.ec2.internal 2 - ip-10-12-27-41.ec2.internal Enter value (1-2) or 'b' to abort: 1 Load Balancer Order: ip-10-12-50-75.ec2.internal ip-10-12-27-41.ec2.internal Successfully created client configuration RPM. RPMs can be found at /root ------------------------------------------------------------------------------ [root@ip-10-98-9-150 noarch]# rpm -ivh rh-rhui-custom-2.4-1.el6.noarch.rpm Preparing... ########################################### [100%] 1:rh-rhui-custom ########################################### [100%] [root@ip-10-98-9-150 ~]# yumdownloader adobe-release-x86_64-1.0-1.noarch Loaded plugins: pulp-profile-update, rhui-lb adobe-release-x86_64-1.0-1.noarch.rpm | 4.2 kB 00:00 [root@ip-10-98-9-150 ~]# ls adobe-release-x86_64-1.0-1.noarch.rpm root@ip-10-98-9-150 ~]# cd /var/log/audit [root@ip-10-98-9-150 audit]# ls audit.log [root@ip-10-98-9-150 audit]# grep AVC * [root@ip-10-98-9-150 audit]#
Released in RHUI 2.0.2