[Pulp-list] SELinux errors on upgrade
Briand, Sheldon
Sheldon.Briand at nrc-cnrc.gc.ca
Fri May 14 20:22:23 UTC 2021
Hi Mike,
Thanks for the info.
I think that did solve a few problems. I notice that pulpcore-api seems stable now (it was caught in an auto-restart cycle before).
However I’m still seeing a few SELinux problems:
/varlog/messages:
SELinux is preventing /usr/libexec/platform-python3.6 from read access on the l
nk_file /var/lib/pulp/assets/admin/css/autocomplete.css
SELinux is preventing /usr/libexec/platform-python3.6 from name_connect access
on the tcp_socket port 5432
SELinux is preventing /usr/libexec/platform-python3.6 from create access on the
file /var/run/pulpcore-worker-1/
Thanks,
-Sheldon
From: Mike DePaulo [mailto:mikedep333 at redhat.com]
Sent: May 14, 2021 4:14 PM
To: Briand, Sheldon <Sheldon.Briand at nrc-cnrc.gc.ca>
Cc: pulp-list at redhat.com
Subject: Re: [Pulp-list] SELinux errors on upgrade
***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC
Hi Sheldon,
Sorry to hear you ran into this,
I suspect it's this bug, which I intend to fix soon:
https://pulp.plan.io/issues/8620
To try to recover manually:
1. Run this for each file under the directory:
sudo semodule -i /usr/local/share/selinux/targeted/<filename>
2. Run:
sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/ /var/run/pulpcore
These assume default directory paths.
-Mike
On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon <Sheldon.Briand at nrc-cnrc.gc.ca<mailto:Sheldon.Briand at nrc-cnrc.gc.ca>> wrote:
Hi,
I recently tried to update my pulp3 install. It was installed using the ansible installer. I believe the original install was working because the ansible installer ran without any errors.
I never got much of chance to try it out though. When I revisited pulp3 I saw there was an update. I may not have run the update properly the first time.
Now when I run the installer it gets stuck checking the health of the pulp3 services and then fails.
Note that my system is running SELinux in enforcing mode.
I’ve looked at the logs and I’m seeing lots of permission denied messages. Checking the SELinux logs shows:
type=AVC msg=audit(1621012482.823:159368): avc: denied { create } for pid=107534 comm="rq" name="reserved-resource-worker-1.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012483.052:159369): avc: denied { create } for pid=107542 comm="rq" name="reserved-resource-worker-2.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012486.569:159424): avc: denied { name_connect } for pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1621012488.581:159430): avc: denied { name_connect } for pid=107611 comm="gunicorn" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1621012489.177:159435): avc: denied { create } for pid=107595 comm="rq" name="resource-manager.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1621012490.511:159443): avc: denied { read } for pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file permissive=0
Not sure if this is something I did or if these logs might help debug anything.
Thanks,
-Sheldon
_______________________________________________
Pulp-list mailing list
Pulp-list at redhat.com<mailto:Pulp-list at redhat.com>
https://listman.redhat.com/mailman/listinfo/pulp-list
--
Mike DePaulo
He / Him / His
Service Reliability Engineer, Pulp
Red Hat<https://www.redhat.com/>
IM: mikedep333
GPG: 51745404
[Image removed by sender.]<https://www.redhat.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/725c5770/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 548 bytes
Desc: image002.jpg
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210514/725c5770/attachment.jpg>
More information about the Pulp-list
mailing list