[Pulp-list] SELinux errors on upgrade

Briand, Sheldon Sheldon.Briand at nrc-cnrc.gc.ca
Fri May 14 20:22:23 UTC 2021 

Hi Mike,

Thanks for the info.

I think that did solve a few problems.  I notice that pulpcore-api seems stable now (it was caught in an auto-restart cycle before).

However I’m still seeing a few SELinux problems:
/varlog/messages:

SELinux is preventing /usr/libexec/platform-python3.6 from read access on the l
nk_file /var/lib/pulp/assets/admin/css/autocomplete.css

SELinux is preventing /usr/libexec/platform-python3.6 from name_connect access
on the tcp_socket port 5432

SELinux is preventing /usr/libexec/platform-python3.6 from create access on the
file /var/run/pulpcore-worker-1/

Thanks,
-Sheldon

From: Mike DePaulo [mailto:mikedep333 at redhat.com]
Sent: May 14, 2021 4:14 PM
To: Briand, Sheldon <Sheldon.Briand at nrc-cnrc.gc.ca>
Cc: pulp-list at redhat.com
Subject: Re: [Pulp-list] SELinux errors on upgrade


***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
Hi Sheldon,

Sorry to hear you ran into this,

I suspect it's this bug, which I intend to fix soon:
https://pulp.plan.io/issues/8620

To try to recover manually:

1. Run this for each file under the directory:
sudo semodule -i /usr/local/share/selinux/targeted/<filename>

2. Run:
sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/ /var/run/pulpcore

These assume default directory paths.

-Mike

On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon <Sheldon.Briand at nrc-cnrc.gc.ca<mailto:Sheldon.Briand at nrc-cnrc.gc.ca>> wrote:
Hi,

I recently tried to update my pulp3 install.  It was installed using the ansible installer.  I believe the original install was working because the ansible installer ran without any errors.

I never got much of chance to try it out though.  When I revisited pulp3 I saw there was an update.  I may not have run the update properly the first time.

Now when I run the installer it gets stuck checking the health of the pulp3 services and then fails.

Note that my system is running SELinux in enforcing mode.

I’ve looked at the logs and I’m seeing lots of permission denied messages.  Checking the SELinux logs shows:

type=AVC msg=audit(1621012482.823:159368): avc:  denied  { create } for  pid=107534 comm="rq" name="reserved-resource-worker-1.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012483.052:159369): avc:  denied  { create } for  pid=107542 comm="rq" name="reserved-resource-worker-2.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012486.569:159424): avc:  denied  { name_connect } for  pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1621012488.581:159430): avc:  denied  { name_connect } for  pid=107611 comm="gunicorn" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1621012489.177:159435): avc:  denied  { create } for  pid=107595 comm="rq" name="resource-manager.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012490.511:159443): avc:  denied  { read } for  pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file permissive=0

Not sure if this is something I did or if these logs might help debug anything.

Thanks,
-Sheldon
_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com<mailto:Pulp-list at redhat.com>
https://listman.redhat.com/mailman/listinfo/pulp-list


--

Mike DePaulo

He / Him / His

Service Reliability Engineer, Pulp

Red Hat<https://www.redhat.com/>

IM: mikedep333

GPG: 51745404
[Image removed by sender.]<https://www.redhat.com/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/725c5770/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 548 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/725c5770/attachment.jpg>

More information about the Pulp-list mailing list