Project

General

Profile

Bug #13781

selinux permissions prevent katello from reading pulp published dirs

Added by Chris Duryee almost 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Inter Server Sync
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

The ISS feature requires katello to read from /var/lib/pulp/published in order to copy data published there into an export directory. However, his is currently blocked by selinux. For example:

type=AVC msg=audit(1455752876.592:1874): avc:  denied  { read } for  pid=16021 comm="diagnostic_con*" name="listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1874): avc:  denied  { open } for  pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1875): avc:  denied  { ioctl } for  pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" in

ls -Z output:

# ls -Z /var/lib/pulp/published/yum/master/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 group_export_distributor
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 yum_distributor

audit2allow suggests the following:

#============= passenger_t ==============
allow passenger_t httpd_sys_rw_content_t:dir { read search open getattr };
allow passenger_t httpd_sys_rw_content_t:file { read getattr open ioctl };

To reproduce, simply export a repository via "hammer repository export --id 1"

Associated revisions

Revision 2b2711be (diff)
Added by Chris Duryee almost 4 years ago

Fixes #13781 - update to allow reading of /var/lib/pulp

Katello needs to read from /var/lib/pulp to perform exports

Revision f3376b0d
Added by Justin Sherrill almost 4 years ago

Merge pull request #9 from beav/export

Fixes #13781 - update to allow reading of /var/lib/pulp

Revision c4795282 (diff)
Added by Chris Duryee almost 4 years ago

Fixes #13781 - update to fix el6

This change allows the policy to be compiled on both EL6 and EL7.

Revision 63cce469
Added by Justin Sherrill almost 4 years ago

Merge pull request #10 from beav/fix-el6

Fixes #13781 - update to fix el6

History

#1 Updated by Chris Duryee almost 4 years ago

  • Description updated (diff)

#2 Updated by Eric Helms almost 4 years ago

  • Legacy Backlogs Release (now unused) set to 86
  • Pull request https://github.com/Katello/katello-selinux/pull/9 added

#3 Updated by Chris Duryee almost 4 years ago

  • Status changed from Assigned to Closed

PR is merged, marking as closed.

#4 Updated by Chris Duryee almost 4 years ago

  • Bugzilla link set to 1312640

Also available in: Atom PDF