Actions
Bug #13781
closed
selinux permissions prevent katello from reading pulp published dirs
Status:
Closed
Priority:
Normal
Assignee:
Category:
Inter Server Sync
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
The ISS feature requires katello to read from /var/lib/pulp/published in order to copy data published there into an export directory. However, his is currently blocked by selinux. For example:
type=AVC msg=audit(1455752876.592:1874): avc: denied { read } for pid=16021 comm="diagnostic_con*" name="listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1874): avc: denied { open } for pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1875): avc: denied { ioctl } for pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" in
ls -Z output:
# ls -Z /var/lib/pulp/published/yum/master/ drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 group_export_distributor drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 yum_distributor
audit2allow suggests the following:
#============= passenger_t ==============
allow passenger_t httpd_sys_rw_content_t:dir { read search open getattr };
allow passenger_t httpd_sys_rw_content_t:file { read getattr open ioctl };
To reproduce, simply export a repository via "hammer repository export --id 1"
Updated by 
Updated by
Actions