Hi Sheldon, See in-line comments.
On Fri, May 14, 2021 at 4:22 PM Briand, Sheldon < sheldon.bri...@nrc-cnrc.gc.ca> wrote: > Hi Mike, > > > > Thanks for the info. > > > > I think that did solve a few problems. I notice that pulpcore-api seems > stable now (it was caught in an auto-restart cycle before). > > > > However I’m still seeing a few SELinux problems: > > /varlog/messages: > > > > SELinux is preventing /usr/libexec/platform-python3.6 from read access on > the l > > nk_file /var/lib/pulp/assets/admin/css/autocomplete.css > Hmm, that seems to be part of our current SELinux policy: https://github.com/pulp/pulpcore-selinux/blob/1.2.4/pulpcore.fc#L18 I will try to reproduce after I fix #8620 > > > SELinux is preventing /usr/libexec/platform-python3.6 from name_connect > access > > on the tcp_socket port 5432 > That should be part of our policy also: https://github.com/pulp/pulpcore-selinux/blob/1.2.4/pulpcore.te#L115 I will try to reproduce after I fix #8620 > > > SELinux is preventing /usr/libexec/platform-python3.6 from create access > on the > > file /var/run/pulpcore-worker-1/ > I think this is a bug of omission in our policy, https://github.com/pulp/pulpcore-selinux/blob/master/pulpcore.fc#L25 I'll look into it as I fix #8620 also. -Mike > > Thanks, > > -Sheldon > > > > *From:* Mike DePaulo [mailto:mikedep...@redhat.com] > *Sent:* May 14, 2021 4:14 PM > *To:* Briand, Sheldon <sheldon.bri...@nrc-cnrc.gc.ca> > *Cc:* pulp-list@redhat.com > *Subject:* Re: [Pulp-list] SELinux errors on upgrade > > > > ****ATTENTION*** This email originated from outside of the NRC. > ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC* > > Hi Sheldon, > > > > Sorry to hear you ran into this, > > > > I suspect it's this bug, which I intend to fix soon: > > https://pulp.plan.io/issues/8620 > > > > To try to recover manually: > > > > 1. Run this for each file under the directory: > > sudo semodule -i /usr/local/share/selinux/targeted/<filename> > > > > 2. Run: > > sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/ > /var/run/pulpcore > > > > These assume default directory paths. > > > > -Mike > > > > On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon < > sheldon.bri...@nrc-cnrc.gc.ca> wrote: > > Hi, > > > > I recently tried to update my pulp3 install. It was installed using the > ansible installer. I believe the original install was working because the > ansible installer ran without any errors. > > > > I never got much of chance to try it out though. When I revisited pulp3 I > saw there was an update. I may not have run the update properly the first > time. > > > > Now when I run the installer it gets stuck checking the health of the > pulp3 services and then fails. > > > > Note that my system is running SELinux in enforcing mode. > > > > I’ve looked at the logs and I’m seeing lots of permission denied > messages. Checking the SELinux logs shows: > > > > type=AVC msg=audit(1621012482.823:159368): avc: denied { create } for > pid=107534 comm="rq" name="reserved-resource-worker-1.pid" > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 > > type=AVC msg=audit(1621012483.052:159369): avc: denied { create } for > pid=107542 comm="rq" name="reserved-resource-worker-2.pid" > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 > > type=AVC msg=audit(1621012486.569:159424): avc: denied { name_connect } > for pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket > permissive=0 > > type=AVC msg=audit(1621012488.581:159430): avc: denied { name_connect } > for pid=107611 comm="gunicorn" dest=5432 > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket > permissive=0 > > type=AVC msg=audit(1621012489.177:159435): avc: denied { create } for > pid=107595 comm="rq" name="resource-manager.pid" > scontext=system_u:system_r:init_t:s0 > tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 > > type=AVC msg=audit(1621012490.511:159443): avc: denied { read } for > pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506 > scontext=system_u:system_r:init_t:s0 > tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file > permissive=0 > > > > Not sure if this is something I did or if these logs might help debug > anything. > > > > Thanks, > > -Sheldon > > _______________________________________________ > Pulp-list mailing list > Pulp-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pulp-list > > > > -- > > *Mike DePaulo* > > He / Him / His > > Service Reliability Engineer, Pulp > > Red Hat <https://www.redhat.com/> > > IM: mikedep333 > > GPG: 51745404 > > [image: Image removed by sender.] <https://www.redhat.com/> > > > -- Mike DePaulo He / Him / His Service Reliability Engineer, Pulp Red Hat <https://www.redhat.com/> IM: mikedep333 GPG: 51745404 <https://www.redhat.com/>
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://listman.redhat.com/mailman/listinfo/pulp-list
