[Pulp-list] SELinux errors on upgrade
Mike DePaulo
mikedep333 at redhat.com
Fri May 14 19:13:37 UTC 2021
Hi Sheldon,
Sorry to hear you ran into this,
I suspect it's this bug, which I intend to fix soon:
https://pulp.plan.io/issues/8620
To try to recover manually:
1. Run this for each file under the directory:
sudo semodule -i /usr/local/share/selinux/targeted/<filename>
2. Run:
sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/
/var/run/pulpcore
These assume default directory paths.
-Mike
On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon <
Sheldon.Briand at nrc-cnrc.gc.ca> wrote:
> Hi,
>
>
>
> I recently tried to update my pulp3 install. It was installed using the
> ansible installer. I believe the original install was working because the
> ansible installer ran without any errors.
>
>
>
> I never got much of chance to try it out though. When I revisited pulp3 I
> saw there was an update. I may not have run the update properly the first
> time.
>
>
>
> Now when I run the installer it gets stuck checking the health of the
> pulp3 services and then fails.
>
>
>
> Note that my system is running SELinux in enforcing mode.
>
>
>
> I’ve looked at the logs and I’m seeing lots of permission denied
> messages. Checking the SELinux logs shows:
>
>
>
> type=AVC msg=audit(1621012482.823:159368): avc: denied { create } for
> pid=107534 comm="rq" name="reserved-resource-worker-1.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012483.052:159369): avc: denied { create } for
> pid=107542 comm="rq" name="reserved-resource-worker-2.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012486.569:159424): avc: denied { name_connect }
> for pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> permissive=0
>
> type=AVC msg=audit(1621012488.581:159430): avc: denied { name_connect }
> for pid=107611 comm="gunicorn" dest=5432
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
> permissive=0
>
> type=AVC msg=audit(1621012489.177:159435): avc: denied { create } for
> pid=107595 comm="rq" name="resource-manager.pid"
> scontext=system_u:system_r:init_t:s0
> tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
>
> type=AVC msg=audit(1621012490.511:159443): avc: denied { read } for
> pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file
> permissive=0
>
>
>
> Not sure if this is something I did or if these logs might help debug
> anything.
>
>
>
> Thanks,
>
> -Sheldon
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://listman.redhat.com/mailman/listinfo/pulp-list
--
Mike DePaulo
He / Him / His
Service Reliability Engineer, Pulp
Red Hat <https://www.redhat.com/>
IM: mikedep333
GPG: 51745404
<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/8de5ad3d/attachment.htm>
More information about the Pulp-list
mailing list