Bug 801752 - Errors installing katello-selinux and pulp-selinux-server in kickstart.
Errors installing katello-selinux and pulp-selinux-server in kickstart.
Status: CLOSED UPSTREAM
Product: Katello
Classification: Community
Component: SELinux (Show other bugs)
2.0
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Lukas Zapletal
Katello QA List
: Triaged
Depends On: 795602
Blocks: 800505 813911
  Show dependency treegraph
 
Reported: 2012-03-09 07:13 EST by Lukas Zapletal
Modified: 2012-07-17 09:09 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 795602
Environment:
Last Closed: 2012-07-17 09:09:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Zapletal 2012-03-09 07:13:58 EST
+++ This bug was initially created as a clone of Bug #795602 +++

Description of problem:
When going through the process of adding an new custom repository, I get to the point where I add a name and URL for the repo (https://SE/katello/providers#panel=provider_2) and I get the following errors:

Pulp::Repository: 403 Forbidden
Forbidden

You don't have permission to access /pulp/api/repositories/ on this server.
Apache/2.2.15 (Red Hat) Server at system-engine0.example.com Port 443
(PUT /pulp/api/repositories/)

/var/log/audit/audit.log shows:
type=AVC msg=audit(1329788642.373:91942): avc:  denied  { getattr } for  pid=2952 comm="httpd" path="/srv/pulp/webservices.wsgi" dev=dm-1 ino=280841 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

sealert -l says that I should either change the context on the file or create a new policy package that allows the access above.  The former suggestion is probably the best in this case, but I'm not sure if it should be httpd_sys_script_t or something else.


Version-Release number of selected component (if applicable):
katello-all-0.1.238-4.el6.noarch
katello-selinux-0.1.5-2.el6.noarch

--- Additional comment from jmatthew@redhat.com on 2012-02-24 16:47:38 CET ---

Please confirm that the pulp selinux policy is loaded.
Example:
 sudo semodule -l | grep pulp
 pulp-server	0.x.x

Please confirm the pulp-selinux rpm is installed:
Example: 
  # rpm -qa | grep pulp-selinux
  pulp-selinux-server-1.0.0-2.el6.noarch

If the above are OK, try running:
restorecon -R /srv/pulp

Then look at the contexts, they should match below:
# ls -larthZ /srv/pulp/
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
drwxr-xr-x. root   root   system_u:object_r:var_t:s0

--- Additional comment from ftaylor@redhat.com on 2012-02-24 20:53:31 CET ---

The pulp SELinux policy is not loaded.

The RPM package is installed:
$ rpm -q pulp-selinux-server
pulp-selinux-server-0.0.265-1.el6.noarch

The context on the files in /srv/pulp/ is var_t.


I also installed using the 2012-02-22.1 code, and I get the same result.

Ah, there may be an issue installing the package.  I have setup a repo and I am installing katello-all in the %packages section of my kickstart.  I see these errors in /root/install.log:

Installing pulp-selinux-server-0.0.267-2.el6.noarch
Cannot set persistent booleans without managed policy.
Could not change policy booleans
Cannot set persistent booleans without managed policy.
Could not change policy booleans
/var/tmp/rpm-tmp.6dFUtS: line 9: /usr/sbin/semanage: No such file or directory
/var/tmp/rpm-tmp.6dFUtS: line 10: /usr/sbin/semanage: No such file or directory
warning: %post(pulp-selinux-server-0.0.267-2.el6.noarch) scriptlet failed, exit status 127

Installing katello-selinux-0.1.7-1.el6.noarch
No such file or directory
Cannot set persistent booleans without managed policy.
Could not change policy booleans
warning: %post(katello-selinux-0.1.7-1.el6.noarch) scriptlet failed, exit status 255

--- Additional comment from jmatthew@redhat.com on 2012-02-24 21:12:04 CET ---

Would you try installing:  "policycoreutils-python" retrying?

It looks like we are missing a requires on rpm for pulp-selinux-server.

I am not sure this is the only issue, I am troubled why you are not seeing a selinux module for pulp-server reported from semodule -l | grep pulp


Let's try:
1) install policycoreutils-python on the system prior to pulp
2) reinstall pulp RPMs including pulp-selinux-server
3) look for errors
4) past what: semodule -l | grep pulp says
5) please paste: getenforce
6) please paste: ls -larthZ /srv/pulp

--- Additional comment from ftaylor@redhat.com on 2012-02-24 23:30:34 CET ---

I just tried a fresh install, but this time I did nothing in kickstart.  I installed katello-all and ran katello-configure after the machine was installed.  policycoreutils-python was already added in kickstart.
The pulp-server SELinux module installs just fine post installation.

So it looks like the issue is that the SELinux policy is not available to load modules, change booleans, etc. during kickstart.  I changed the title of this bug to better match the issue.

We may need to get Dan Walsh to provide guidance in installing modules, changing booleans and the like during kickstart (in RPM %post of pulp-selinux-server and katello-selinux).

The postinstall scriptlet of pulp-selinux-server runs:
/usr/share/pulp/selinux/server/enable.sh, which runs:
  /usr/sbin/semodule -s ${selinuxvariant} -i \
            ${INSTALL_DIR}/selinux/${selinuxvariant}/${NAME}.pp
  (where selinuxvariant="mls strict targeted", INSTALL_DIR=/usr/share and NAME=pulp-server)

  /usr/sbin/setsebool -P httpd_can_network_connect 1
  /usr/sbin/setsebool -P httpd_tmp_exec 1


The postinstall scriptlet of katello-selinux runs:
/usr/sbin/katello-selinux-enable, which runs the same for loop as above (using katello.pp instead of pulp-server.pp).  It also runs:
  /sbin/restorecon -rvvi /var/lib/katello /var/log/katello
  /usr/sbin/setsebool -P httpd_can_network_connect 1

--- Additional comment from lzap@redhat.com on 2012-03-06 17:07:08 CET ---

Are you able to reproduce (in the kickstart) and attach full kickstart log? Because I guess it must be the missing policy problem. Clone of:

https://bugzilla.redhat.com/show_bug.cgi?id=800029

--- Additional comment from ftaylor@redhat.com on 2012-03-06 18:53:40 CET ---

It is partially an issue of not having policycoreutils-python installed (at least for pulp-selinux-server), but there are other issues as well.  I am attaching the installation log.  Note that on line 821, pulp-selinux-server fails to run post scripts because semanage is not available.  Line 861 installs policycoreutils-python, and line 911 fails on installing katello-selinux.  The semanage command is available there, but it cannot manipulate the policy because it is running the kickstart SELinux policy, not the targeted policy (selinux-policy-targeted gets installed on line 1078).

--- Additional comment from ftaylor@redhat.com on 2012-03-06 18:54:15 CET ---

Created attachment 568022 [details]
Installation log from kickstart showing errors installing packages

--- Additional comment from ftaylor@redhat.com on 2012-03-06 19:32:25 CET ---

katello-selinux runs the /usr/sbin/katello-selinux-enable script:

#!/bin/bash

# Install SELinux policy modules
for selinuxvariant in mls strict targeted
do
  /usr/sbin/semodule -s ${selinuxvariant} -l > /dev/null 2>&1 \
    && /usr/sbin/semodule -s ${selinuxvariant} -i \
    /usr/share/selinux/${selinuxvariant}/katello.pp || :
done

# allow qpidd to use port 5674
/usr/sbin/semanage port -a -t amqp_port_t -p tcp 5674

/sbin/restorecon -rvvi /var/lib/katello /var/log/katello

# bz 790507 - httpd needs to work as proxy for Katello
/usr/sbin/setsebool -P httpd_can_network_connect 1


BTW, RHEL6 no longer includes the strict policy (it has been integrated with mls), and RHEL6 includes the new minimal policy.  We should change the for loop above accordingly.

--- Additional comment from dwalsh@redhat.com on 2012-03-06 20:51:18 CET ---

You need to make sure selinux-policy-targeted is installed before your package if you are going to install a policy module or execute semanage type commands.

Requires(post): policycoreutils-python 
Requires(post): selinux-policy-targeted

Also you should do your boolean changing within a transaction to cut compile time.

/usr/sbin/setsebool -P httpd_can_network_connect=1 httpd_tmp_exec=1

or better yet.

semanage -S $selinuxvariant -i - << _EOF
module -a /usr/share/selinux/${selinuxvariant}/katello.pp 
boolean -m --on httpd_can_network_connect
boolean -m --on httpd_tmp_exec
port -a -t amqp_port_t -p tcp 5674
_EOF

Is 5674 a standard amqp port?

--- Additional comment from lzap@redhat.com on 2012-03-08 18:13:02 CET ---

Puttting blocker request, we need to install from a kickstart.
Comment 1 Lukas Zapletal 2012-03-12 05:48:13 EDT
Pushing my fix upstream:

43df220 801752 - Errors installing katello-selinux
Comment 2 Bryan Kearney 2012-07-17 09:09:27 EDT
Moving all community bugs with fixes to closed.

Note You need to log in before you can comment on or make changes to this bug.