Bug 843030 - SELinux denial with Pulp 1.1.11
SELinux denial with Pulp 1.1.11
Status: CLOSED NOTABUG
Product: Pulp
Classification: Community
Component: z_other (Show other bugs)
1.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Zapletal
Preethi Thomas
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-25 07:26 EDT by Lukas Zapletal
Modified: 2012-07-26 04:32 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-26 04:32:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Zapletal 2012-07-25 07:26:38 EDT
Description of problem:

Installed Pulp on Fedora 16, called katello-configure and got AVC denial.


Version-Release number of selected component (if applicable):
pulp-1.1.11-1.fc16.noarch.rpm      

Steps to Reproduce:
1. install pulp from this repo - http://fedorapeople.org/groups/katello/releases/yum/katello-pulp/Fedora/16/x86_64/
2. pulp-admin auth login --username admin --password xxx
3. check SELinux log
  
Actual results:
type=AVC msg=audit(1343215256.380:1884): avc:  denied  { getattr } for  pid=11414 comm="httpd" path="/srv/pulp/webservices.wsgi" dev=dm-0 ino=1450672 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

Expected results:
Working pulp
Comment 1 Lukas Zapletal 2012-07-25 11:11:01 EDT
And I see this during RPM installation:

libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction

Adding John to CCs
Comment 2 John Matthews 2012-07-25 12:49:14 EDT
# yum install pulp-selinux-server
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================
 Package                                   Arch                         Version                             Repository                  Size
=============================================================================================================================================
Installing:
 pulp-selinux-server                       noarch                       1.1.11-1.fc16                       pulp                        46 k

Transaction Summary
=============================================================================================================================================
Install       1 Package

Total download size: 46 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
pulp-selinux-server-1.1.11-1.fc16.noarch.rpm                                                                          |  46 kB     00:00     
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                  1/1 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                 

Complete!
Comment 3 John Matthews 2012-07-25 12:53:39 EDT
Comment #2 was from the configured pulp repo

Now I am attempting an install from a locally built rpm of pulp-selinux-server


# yum install ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm 
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Examining ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm: pulp-selinux-server-1.1.11-1.fc16.noarch
Marking ./pulp-selinux-server-1.1.11-1.fc16.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================
 Package                             Arch                   Version                         Repository                                                 Size
============================================================================================================================================================
Installing:
 pulp-selinux-server                 noarch                 1.1.11-1.fc16                   /pulp-selinux-server-1.1.11-1.fc16.noarch                  65 k

Transaction Summary
============================================================================================================================================================
Install       1 Package

Total size: 65 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                                 1/1 
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                                

Complete!
[root@aa noarch]# semodule -l | grep pulp
pulp-server	1.1.11.1	
[root@aa noarch]# ls -larthZ /srv/pulp/
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 webservices.wsgi
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 repo_auth.wsgi
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       .
Comment 4 John Matthews 2012-07-25 12:58:45 EDT
I checked the pulp.repo on the system reporting this problem, the pulp.repo is pointing to a custom repo hosted on an internal machine.

I fetched the pulp-selinux-server from the custom repo and attempted an install below, note same failure.


# yum install koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm 
Loaded plugins: langpacks, product-id, refresh-packagekit, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity

This machine has not been registered and therefore has
no access to security and other critical updates. Please
register using subscription-manager.

Setting up Install Process
Examining koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm: pulp-selinux-server-1.1.11-1.fc16.noarch
Marking koji/pulp-selinux-server-1.1.11-1.fc16.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package pulp-selinux-server.noarch 0:1.1.11-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================================
 Package                             Arch                   Version                         Repository                                                 Size
============================================================================================================================================================
Installing:
 pulp-selinux-server                 noarch                 1.1.11-1.fc16                   /pulp-selinux-server-1.1.11-1.fc16.noarch                  65 k

Transaction Summary
============================================================================================================================================================
Install       1 Package

Total size: 65 k
Installed size: 65 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pulp-1.1.11-1.fc16.noarch has missing requires of pulp-selinux-server = ('0', '1.1.11', '1.fc16')
  Installing : pulp-selinux-server-1.1.11-1.fc16.noarch                                                                                                 1/1 
libsepol.policydb_read: policydb module version 14 does not match my version range 4-13 (No such file or directory).
libsepol.sepol_module_package_read: invalid module in module package (at section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/targeted/modules/tmp/modules/pulp-server.pp. (No such file or directory).
/usr/sbin/semanage: Could not commit semanage transaction
Installed products updated.

Installed:
  pulp-selinux-server.noarch 0:1.1.11-1.fc16                                                                                                                

Complete!
Comment 5 John Matthews 2012-07-25 13:03:02 EDT
The pulp-selinux-server RPM in the custom koji-katello repo is bad.

I have verified that a locally built pulp-selinux-server RPM installs correctly, as well as the pulp-selinux-server RPM available from the default pulp repo: 
http://repos.fedorapeople.org/repos/pulp/pulp/v1/stable/

I suspect this might be a problem with the setup of the builder that produced the koji-katello repo for f16.
Comment 6 Jay Dobies 2012-07-25 14:11:57 EDT
Sending back to Katello to verify their build setup.
Comment 8 Lukas Zapletal 2012-07-26 04:32:27 EDT
Okay, Fedora16 updates did help, it was a clean installation without any updates. Maybe you would like to put this to the V1 release notes. Thanks for help! Closing.

Note You need to log in before you can comment on or make changes to this bug.