+++ This bug was initially created as a clone of Bug #800505 +++

+++ This bug was initially created as a clone of Bug #795602 +++

Description of problem:
When going through the process of adding an new custom repository, I get to the point where I add a name and URL for the repo (https://SE/katello/providers#panel=provider_2) and I get the following errors:

Pulp::Repository: 403 Forbidden
Forbidden

You don't have permission to access /pulp/api/repositories/ on this server.
Apache/2.2.15 (Red Hat) Server at system-engine0.example.com Port 443
(PUT /pulp/api/repositories/)

/var/log/audit/audit.log shows:
type=AVC msg=audit(1329788642.373:91942): avc:  denied  { getattr } for  pid=2952 comm="httpd" path="/srv/pulp/webservices.wsgi" dev=dm-1 ino=280841 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

sealert -l says that I should either change the context on the file or create a new policy package that allows the access above.  The former suggestion is probably the best in this case, but I'm not sure if it should be httpd_sys_script_t or something else.


Version-Release number of selected component (if applicable):
katello-all-0.1.238-4.el6.noarch
katello-selinux-0.1.5-2.el6.noarch

--- Additional comment from jmatthew on 2012-02-24 10:47:38 EST ---

Please confirm that the pulp selinux policy is loaded.
Example:
 sudo semodule -l | grep pulp
 pulp-server	0.x.x

Please confirm the pulp-selinux rpm is installed:
Example: 
  # rpm -qa | grep pulp-selinux
  pulp-selinux-server-1.0.0-2.el6.noarch

If the above are OK, try running:
restorecon -R /srv/pulp

Then look at the contexts, they should match below:
# ls -larthZ /srv/pulp/
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
drwxr-xr-x. root   root   system_u:object_r:var_t:s0

--- Additional comment from ftaylor on 2012-02-24 14:53:31 EST ---

The pulp SELinux policy is not loaded.

The RPM package is installed:
$ rpm -q pulp-selinux-server
pulp-selinux-server-0.0.265-1.el6.noarch

The context on the files in /srv/pulp/ is var_t.


I also installed using the 2012-02-22.1 code, and I get the same result.

Ah, there may be an issue installing the package.  I have setup a repo and I am installing katello-all in the %packages section of my kickstart.  I see these errors in /root/install.log:

Installing pulp-selinux-server-0.0.267-2.el6.noarch
Cannot set persistent booleans without managed policy.
Could not change policy booleans
Cannot set persistent booleans without managed policy.
Could not change policy booleans
/var/tmp/rpm-tmp.6dFUtS: line 9: /usr/sbin/semanage: No such file or directory
/var/tmp/rpm-tmp.6dFUtS: line 10: /usr/sbin/semanage: No such file or directory
warning: %post(pulp-selinux-server-0.0.267-2.el6.noarch) scriptlet failed, exit status 127

Installing katello-selinux-0.1.7-1.el6.noarch
No such file or directory
Cannot set persistent booleans without managed policy.
Could not change policy booleans
warning: %post(katello-selinux-0.1.7-1.el6.noarch) scriptlet failed, exit status 255

--- Additional comment from jmatthew on 2012-02-24 15:12:04 EST ---

Would you try installing:  "policycoreutils-python" retrying?

It looks like we are missing a requires on rpm for pulp-selinux-server.

I am not sure this is the only issue, I am troubled why you are not seeing a selinux module for pulp-server reported from semodule -l | grep pulp


Let's try:
1) install policycoreutils-python on the system prior to pulp
2) reinstall pulp RPMs including pulp-selinux-server
3) look for errors
4) past what: semodule -l | grep pulp says
5) please paste: getenforce
6) please paste: ls -larthZ /srv/pulp

--- Additional comment from ftaylor on 2012-02-24 17:30:34 EST ---

I just tried a fresh install, but this time I did nothing in kickstart.  I installed katello-all and ran katello-configure after the machine was installed.  policycoreutils-python was already added in kickstart.
The pulp-server SELinux module installs just fine post installation.

So it looks like the issue is that the SELinux policy is not available to load modules, change booleans, etc. during kickstart.  I changed the title of this bug to better match the issue.

We may need to get Dan Walsh to provide guidance in installing modules, changing booleans and the like during kickstart (in RPM %post of pulp-selinux-server and katello-selinux).

The postinstall scriptlet of pulp-selinux-server runs:
/usr/share/pulp/selinux/server/enable.sh, which runs:
  /usr/sbin/semodule -s ${selinuxvariant} -i \
            ${INSTALL_DIR}/selinux/${selinuxvariant}/${NAME}.pp
  (where selinuxvariant="mls strict targeted", INSTALL_DIR=/usr/share and NAME=pulp-server)

  /usr/sbin/setsebool -P httpd_can_network_connect 1
  /usr/sbin/setsebool -P httpd_tmp_exec 1


The postinstall scriptlet of katello-selinux runs:
/usr/sbin/katello-selinux-enable, which runs the same for loop as above (using katello.pp instead of pulp-server.pp).  It also runs:
  /sbin/restorecon -rvvi /var/lib/katello /var/log/katello
  /usr/sbin/setsebool -P httpd_can_network_connect 1

--- Additional comment from jmatthew on 2012-03-06 10:47:28 EST ---

Need to be sure this in Pulp V1 branch

--- Additional comment from jmatthew on 2012-03-06 11:13:49 EST ---

This commit:
http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=24160a6a72d45972540dceb422334b7226d5f691

Has been cherrypicked to v1 branch
http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=427b934c445b8a3992aff3567a0244ebcd64f999

--- Additional comment from jortel on 2012-03-08 11:13:27 EST ---

build: 0.272