Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 843030

Summary: SELinux denial with Pulp 1.1.11
Product: [Retired] Pulp Reporter: Lukas Zapletal <lzap>
Component: z_otherAssignee: Lukas Zapletal <lzap>
Status: CLOSED NOTABUG QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.1.0CC: jason.dobies, jmatthew, msuchy, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-26 08:32:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2012-07-25 11:26:38 UTC 
Description of problem:

Installed Pulp on Fedora 16, called katello-configure and got AVC denial.


Version-Release number of selected component (if applicable):
pulp-1.1.11-1.fc16.noarch.rpm      

Steps to Reproduce:
1. install pulp from this repo - http://fedorapeople.org/groups/katello/releases/yum/katello-pulp/Fedora/16/x86_64/
2. pulp-admin auth login --username admin --password xxx
3. check SELinux log
  
Actual results:
type=AVC msg=audit(1343215256.380:1884): avc:  denied  { getattr } for  pid=11414 comm="httpd" path="/srv/pulp/webservices.wsgi" dev=dm-0 ino=1450672 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

Expected results:
Working pulp
Comment 1 Lukas Zapletal 2012-07-25 15:11:01 UTC 
And I see this during RPM installation:

libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

Adding John to CCs
Comment 2 John Matthews 2012-07-25 16:49:14 UTC 
# yum install pulp-selinux-server
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================
 Package                                   Arch                         Version                             Repository                  Size
=============================================================================================================================================
Installing:
 pulp-selinux-server                       noarch                       1.1.11-1.fc16                       pulp                        46 k

Transaction Summary
=============================================================================================================================================
Install       1 Package

Total download size: 46 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
pulp-selinux-server-1.1.11-1.fc16.noarch.rpm                                                                          |  46 kB     00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                  1/1 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                 

Complete!
Comment 3 John Matthews 2012-07-25 16:53:39 UTC 
Comment #2 was from the configured pulp repo

Now I am attempting an install from a locally built rpm of pulp-selinux-server


# yum install ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm 
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Examining ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm: pulp-selinux-server-1.1.11-1.fc16.noarch
Marking ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================
 Package                             Arch                   Version                         Repository                                                 Size
============================================================================================================================================================
Installing:
 pulp-selinux-server                 noarch                 1.1.11-1.fc16                   /pulp-selinux-server-1.1.11-1.fc16.noarch                  65 k

Transaction Summary
============================================================================================================================================================
Install       1 Package

Total size: 65 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                                 1/1 
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                                

Complete!
[root@aa noarch]# semodule -l | grep pulp
pulp-server	1.1.11.1	
[root@aa noarch]# ls -larthZ /srv/pulp/
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       .
Comment 4 John Matthews 2012-07-25 16:58:45 UTC 
I checked the pulp.repo on the system reporting this problem, the pulp.repo is pointing to a custom repo hosted on an internal machine.

I fetched the pulp-selinux-server from the custom repo and attempted an install below, note same failure.


# yum install koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm 
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Examining koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm: pulp-selinux-server-1.1.11-1.fc16.noarch
Marking koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================
 Package                             Arch                   Version                         Repository                                                 Size
============================================================================================================================================================
Installing:
 pulp-selinux-server                 noarch                 1.1.11-1.fc16                   /pulp-selinux-server-1.1.11-1.fc16.noarch                  65 k

Transaction Summary
============================================================================================================================================================
Install       1 Package

Total size: 65 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                                 1/1 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                                

Complete!
Comment 5 John Matthews 2012-07-25 17:03:02 UTC 
The pulp-selinux-server RPM in the custom koji-katello repo is bad.

I have verified that a locally built pulp-selinux-server RPM installs correctly, as well as the pulp-selinux-server RPM available from the default pulp repo: 
http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/

I suspect this might be a problem with the setup of the builder that produced the koji-katello repo for f16.
Comment 6 Jay Dobies 2012-07-25 18:11:57 UTC 
Sending back to Katello to verify their build setup.
Comment 8 Lukas Zapletal 2012-07-26 08:32:27 UTC 
Okay, Fedora16 updates did help, it was a clean installation without any updates. Maybe you would like to put this to the V1 release notes. Thanks for help! Closing.