[Pulp-list] SELinux errors on upgrade

Mike DePaulo mikedep333 at redhat.com
Fri May 14 19:13:37 UTC 2021


Hi Sheldon,

Sorry to hear you ran into this,

I suspect it's this bug, which I intend to fix soon:
https://pulp.plan.io/issues/8620

To try to recover manually:

1. Run this for each file under the directory:
sudo semodule -i /usr/local/share/selinux/targeted/<filename>

2. Run:
sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/
/var/run/pulpcore

These assume default directory paths.

-Mike

On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon <
Sheldon.Briand at nrc-cnrc.gc.ca> wrote:

> Hi,
>
>
>
> I recently tried to update my pulp3 install.  It was installed using the
> ansible installer.  I believe the original install was working because the
> ansible installer ran without any errors.
>
>
>
> I never got much of chance to try it out though.  When I revisited pulp3 I
> saw there was an update.  I may not have run the update properly the first
> time.
>
>
>
> Now when I run the installer it gets stuck checking the health of the
> pulp3 services and then fails.
>
>
>
> Note that my system is running SELinux in enforcing mode.
>
>
>
> I’ve looked at the logs and I’m seeing lots of permission denied
> messages.  Checking the SELinux logs shows:
>
>
>
> type=AVC msg=audit(1621012482.823:159368): avc:  denied  { create } for
> pid=107534 comm="rq" name="reserved-resource-worker-1.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012483.052:159369): avc:  denied  { create } for
> pid=107542 comm="rq" name="reserved-resource-worker-2.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012486.569:159424): avc:  denied  { name_connect }
> for  pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> permissive=0
>
> type=AVC msg=audit(1621012488.581:159430): avc:  denied  { name_connect }
> for  pid=107611 comm="gunicorn" dest=5432
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> permissive=0
>
> type=AVC msg=audit(1621012489.177:159435): avc:  denied  { create } for
> pid=107595 comm="rq" name="resource-manager.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012490.511:159443): avc:  denied  { read } for
> pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file
> permissive=0
>
>
>
> Not sure if this is something I did or if these logs might help debug
> anything.
>
>
>
> Thanks,
>
> -Sheldon
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/pulp-list



-- 

Mike DePaulo

He / Him / His

Service Reliability Engineer, Pulp

Red Hat <https://www.redhat.com/>

IM: mikedep333

GPG: 51745404
<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/8de5ad3d/attachment.htm>


More information about the Pulp-list mailing list