Plugins » Katello

The ISS feature requires katello to read from /var/lib/pulp/published in order to copy data published there into an export directory. However, his is currently blocked by selinux. For example:

type=AVC msg=audit(1455752876.592:1874): avc:  denied  { read } for  pid=16021 comm="diagnostic_con*" name="listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1874): avc:  denied  { open } for  pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1875): avc:  denied  { ioctl } for  pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" in

ls -Z output:

# ls -Z /var/lib/pulp/published/yum/master/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 group_export_distributor
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 yum_distributor

audit2allow suggests the following:

#============= passenger_t ==============
allow passenger_t httpd_sys_rw_content_t:dir { read search open getattr };
allow passenger_t httpd_sys_rw_content_t:file { read getattr open ioctl };

To reproduce, simply export a repository via "hammer repository export --id 1"