+++ This bug was initially created as a clone of Bug #800505 +++ +++ This bug was initially created as a clone of Bug #795602 +++ Description of problem: When going through the process of adding an new custom repository, I get to the point where I add a name and URL for the repo (https://SE/katello/providers#panel=provider_2) and I get the following errors: Pulp::Repository: 403 Forbidden Forbidden You don't have permission to access /pulp/api/repositories/ on this server. Apache/2.2.15 (Red Hat) Server at system-engine0.example.com Port 443 (PUT /pulp/api/repositories/) /var/log/audit/audit.log shows: type=AVC msg=audit(1329788642.373:91942): avc: denied { getattr } for pid=2952 comm="httpd" path="/srv/pulp/webservices.wsgi" dev=dm-1 ino=280841 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file sealert -l says that I should either change the context on the file or create a new policy package that allows the access above. The former suggestion is probably the best in this case, but I'm not sure if it should be httpd_sys_script_t or something else. Version-Release number of selected component (if applicable): katello-all-0.1.238-4.el6.noarch katello-selinux-0.1.5-2.el6.noarch --- Additional comment from jmatthew on 2012-02-24 10:47:38 EST --- Please confirm that the pulp selinux policy is loaded. Example: sudo semodule -l | grep pulp pulp-server 0.x.x Please confirm the pulp-selinux rpm is installed: Example: # rpm -qa | grep pulp-selinux pulp-selinux-server-1.0.0-2.el6.noarch If the above are OK, try running: restorecon -R /srv/pulp Then look at the contexts, they should match below: # ls -larthZ /srv/pulp/ drwxr-xr-x. root root system_u:object_r:var_t:s0 .. -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi drwxr-xr-x. root root system_u:object_r:var_t:s0 --- Additional comment from ftaylor on 2012-02-24 14:53:31 EST --- The pulp SELinux policy is not loaded. The RPM package is installed: $ rpm -q pulp-selinux-server pulp-selinux-server-0.0.265-1.el6.noarch The context on the files in /srv/pulp/ is var_t. I also installed using the 2012-02-22.1 code, and I get the same result. Ah, there may be an issue installing the package. I have setup a repo and I am installing katello-all in the %packages section of my kickstart. I see these errors in /root/install.log: Installing pulp-selinux-server-0.0.267-2.el6.noarch Cannot set persistent booleans without managed policy. Could not change policy booleans Cannot set persistent booleans without managed policy. Could not change policy booleans /var/tmp/rpm-tmp.6dFUtS: line 9: /usr/sbin/semanage: No such file or directory /var/tmp/rpm-tmp.6dFUtS: line 10: /usr/sbin/semanage: No such file or directory warning: %post(pulp-selinux-server-0.0.267-2.el6.noarch) scriptlet failed, exit status 127 Installing katello-selinux-0.1.7-1.el6.noarch No such file or directory Cannot set persistent booleans without managed policy. Could not change policy booleans warning: %post(katello-selinux-0.1.7-1.el6.noarch) scriptlet failed, exit status 255 --- Additional comment from jmatthew on 2012-02-24 15:12:04 EST --- Would you try installing: "policycoreutils-python" retrying? It looks like we are missing a requires on rpm for pulp-selinux-server. I am not sure this is the only issue, I am troubled why you are not seeing a selinux module for pulp-server reported from semodule -l | grep pulp Let's try: 1) install policycoreutils-python on the system prior to pulp 2) reinstall pulp RPMs including pulp-selinux-server 3) look for errors 4) past what: semodule -l | grep pulp says 5) please paste: getenforce 6) please paste: ls -larthZ /srv/pulp --- Additional comment from ftaylor on 2012-02-24 17:30:34 EST --- I just tried a fresh install, but this time I did nothing in kickstart. I installed katello-all and ran katello-configure after the machine was installed. policycoreutils-python was already added in kickstart. The pulp-server SELinux module installs just fine post installation. So it looks like the issue is that the SELinux policy is not available to load modules, change booleans, etc. during kickstart. I changed the title of this bug to better match the issue. We may need to get Dan Walsh to provide guidance in installing modules, changing booleans and the like during kickstart (in RPM %post of pulp-selinux-server and katello-selinux). The postinstall scriptlet of pulp-selinux-server runs: /usr/share/pulp/selinux/server/enable.sh, which runs: /usr/sbin/semodule -s ${selinuxvariant} -i \ ${INSTALL_DIR}/selinux/${selinuxvariant}/${NAME}.pp (where selinuxvariant="mls strict targeted", INSTALL_DIR=/usr/share and NAME=pulp-server) /usr/sbin/setsebool -P httpd_can_network_connect 1 /usr/sbin/setsebool -P httpd_tmp_exec 1 The postinstall scriptlet of katello-selinux runs: /usr/sbin/katello-selinux-enable, which runs the same for loop as above (using katello.pp instead of pulp-server.pp). It also runs: /sbin/restorecon -rvvi /var/lib/katello /var/log/katello /usr/sbin/setsebool -P httpd_can_network_connect 1 --- Additional comment from jmatthew on 2012-03-06 10:47:28 EST --- Need to be sure this in Pulp V1 branch --- Additional comment from jmatthew on 2012-03-06 11:13:49 EST --- This commit: http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=24160a6a72d45972540dceb422334b7226d5f691 Has been cherrypicked to v1 branch http://git.fedorahosted.org/git/?p=pulp.git;a=commitdiff;h=427b934c445b8a3992aff3567a0244ebcd64f999 --- Additional comment from jortel on 2012-03-08 11:13:27 EST --- build: 0.272
cloned for v2 moving to on_qa as per the comment
[root@preethi-el6-pulp ~]# rpm -q pulp pulp-0.0.283-1.el6.noarch [root@preethi-el6-pulp ~]# [root@preethi-el6-pulp ~]# rpm -q pulp-selinux-server pulp-selinux-server-0.0.283-1.el6.noarch [root@preethi-el6-pulp ~]# [root@preethi-el6-pulp ~]# semodule -l |grep pulp pulp-server 0.0.283.1 [root@preethi-el6-pulp ~]# getenforce Enforcing [root@preethi-el6-pulp ~]# ls -larthZ /srv/pulp drwxr-xr-x. root root system_u:object_r:var_t:s0 .. -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi drwxr-xr-x. root root system_u:object_r:var_t:s0 . [root@preethi-el6-pulp ~]#
Pulp v1.1 Release