Bug #13781
Updated by Chris Duryee about 8 years ago
The ISS feature requires katello to read from /var/lib/pulp/published in order to copy data published there into an export directory. However, his is currently blocked by selinux. For example:
<pre>
type=AVC msg=audit(1455752876.592:1874): avc: denied { read } for pid=16021 comm="diagnostic_con*" name="listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1874): avc: denied { open } for pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" ino=1448845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=AVC msg=audit(1455752876.592:1875): avc: denied { ioctl } for pid=16021 comm="diagnostic_con*" path="/var/lib/pulp/published/yum/master/group_export_distributor/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Satellite_Tools_6_1_for_RHEL_7_Server_RPMs_x86_64/1455752874.93/listing" dev="vda3" in
</pre>
ls -Z output:
<pre>
# ls -Z /var/lib/pulp/published/yum/master/
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 group_export_distributor
drwxr-xr-x. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 yum_distributor
</pre>
audit2allow suggests the following:
<pre>
#============= passenger_t ==============
allow passenger_t httpd_sys_rw_content_t:dir { read search open getattr };
allow passenger_t httpd_sys_rw_content_t:file { read getattr open ioctl };
</pre>
To reproduce, simply export a repository via "hammer repository export --id 1"