SELinux issues while running `hammer repository export'

Problem: SELinux denials are stopping `hammer repository export’ from completing successfully Specifically there seems to be an issue with foreman_rails_t and celery_t

Expected outcome: SELinux allows export

Foreman and Proxy versions: 2.1.0

Foreman and Proxy plugin versions:
foreman-tasks 2.0.2
katello 3.16.0.rc4
foreman-selinux.noarch 2.1.0-1.el7

Distribution and version: RHEL 7.8

Other relevant data:

Originally I ran:

mkdir "/repos/$(date +%Y-%m-%d)_228_sync"
chown foreman:foreman "/repos/$(date +%Y-%m-%d)_228_sync"
chmod ug=rwX "/repos/$(date +%Y-%m-%d)_228_sync"
chmod o=rX "/repos/$(date +%Y-%m-%d)_228_sync"
hammer settings set --name pulp_export_destination --value "/repos/$(date +%Y-%m-%d)_228_sync"
hammer repository export --iso-mb-size 22000 --id 228 --export-to-iso 1

Which led me to my first SELinux denial:

sealert -l fc296ef6-228b-4eb9-a76a-8b97134cd49f

Output:

SELinux is preventing diagnostic_con* from write access on the directory 2020-07-23_230_sync.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow diagnostic_con* to have write access on the 2020-07-23_230_sync directory
Then you need to change the label on 2020-07-23_230_sync
Do
# semanage fcontext -a -t FILE_TYPE '2020-07-23_230_sync'
where FILE_TYPE is one of the following: device_t, foreman_lib_t, foreman_var_run_t, init_var_run_t, passenger_tmp_t, syslogd_var_run_t, system_cronjob_tmp_t, tmp_t.
Then execute:
restorecon -v '2020-07-23_230_sync'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that diagnostic_con* should be allowed write access on the 2020-07-23_230_sync directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp


Additional Information:
Source Context                system_u:system_r:foreman_rails_t:s0
Target Context                unconfined_u:object_r:default_t:s0
Target Objects                2020-07-23_230_sync [ dir ]
Source                        diagnostic_con*
Source Path                   diagnostic_con*
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   31
First Seen                    2020-07-22 12:45:59 MDT
Last Seen                     2020-07-23 09:22:15 MDT
Local ID                      fc296ef6-228b-4eb9-a76a-8b97134cd49f

Raw Audit Messages
type=AVC msg=audit(1595517735.766:29647): avc:  denied  { write } for  pid=3756 comm="diagnostic_con*" name="2020-07-23_230_sync" dev="dm-0" ino=1342177960 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=1


Hash: diagnostic_con*,foreman_rails_t,default_t,dir,write

So I corrected that based on the sealert recommendation:

semanage fcontext -a -t foreman_var_run_t "/repos/$(date +%Y-%m-%d)_repo228_sync"
restorecon -v "/repos/$(date +%Y-%m-%d)_repo228_sync"

Running again it got a little further but kicked up this:

sealert -l 72c6dc54-ac77-450b-9eec-f4674e9cdcd6

Output:

    SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /var/lib/pulp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ruby should be allowed search access on the pulp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp


Additional Information:
Source Context                system_u:system_r:foreman_rails_t:s0
Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects                /var/lib/pulp [ dir ]
Source                        diagnostic_con*
Source Path                   /opt/rh/rh-ruby25/root/usr/bin/ruby
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages           rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages           pulp-server-2.21.2-1.el7.noarch
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   3
First Seen                    2020-07-22 13:11:21 MDT
Last Seen                     2020-07-22 15:40:38 MDT
Local ID                      72c6dc54-ac77-450b-9eec-f4674e9cdcd6

Raw Audit Messages
type=AVC msg=audit(1595454038.897:465): avc:  denied  { search } for  pid=1734 comm="diagnostic_con*" name="pulp" dev="dm-4" ino=52028327 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1595454038.897:465): arch=x86_64 syscall=stat success=no exit=EACCES a0=7fb8ec43dad0 a1=7fb8e76a6800 a2=7fb8e76a6800 a3=1 items=1 ppid=1 pid=1734 auid=4294967295 uid=985 gid=978 euid=985 suid=985 fsuid=985 egid=978 sgid=978 fsgid=978 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:foreman_rails_t:s0 key=(null)

type=CWD msg=audit(1595454038.897:465): cwd=/usr/share/foreman

Hash: diagnostic_con*,foreman_rails_t,httpd_sys_rw_content_t,dir,search

I noticed they both used a source of foreman_rails_t so I used the same solution as before:

semanage fcontext -a -t foreman_var_run_t "/var/lib/pulp(/.*)?"
restorecon -R /var/lib/pulp

This however causes the next issue with celery_t expecting this folder to have a context of httpd_sys_rw_content_t:

sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Output:

SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed getattr access on the 55acdc96-0af0-4236-a805-c5c36bd3694b file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40
                              601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd36
                              94b [ file ]
Source                        celery
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          ***REDACTED***
Source RPM Packages           python-2.7.5-88.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ***REDACTED***
Platform                      Linux ***REDACTED*** 3.10.0-1127.13.1.el7.x86_64 #1 SMP
                              Fri Jun 12 14:34:17 EDT 2020 x86_64 x86_64
Alert Count                   2032
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-23 09:34:30 MDT
Local ID                      bda67965-d6ee-427c-915f-1c46a3cd9c37

Raw Audit Messages
type=AVC msg=audit(1595518470.773:29810): avc:  denied  { getattr } for  pid=2962 comm="celery" path="/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b" dev="dm-4" ino=1107519792 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1595518470.773:29810): arch=x86_64 syscall=stat success=no exit=EACCES a0=35e30c0 a1=7ffd7f4edf40 a2=7ffd7f4edf40 a3=b items=1 ppid=1823 pid=2962 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=celery exe=/usr/bin/python2.7 subj=system_u:system_r:celery_t:s0 key=(null)

type=CWD msg=audit(1595518470.773:29810): cwd=/run/pulp

type=PATH msg=audit(1595518470.773:29810): item=0 name=/var/lib/pulp/content/units/yum_repo_metadata_file/72/8cf2e42c5d582066c70dba86619555328f55ad4f319f40601651d3f986eb29/55acdc96-0af0-4236-a805-c5c36bd3694b inode=1107519792 dev=fd:04 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: celery,celery_t,foreman_var_run_t,file,getattr

I have since undone the changes I made and just decided to just turn off SELinux at the beginning of the script and turn it back on at the end.

Of note I don’t think foreman_rails_t has permission for httpd_sys_rw_content_t:

[root@***REDACTED*** repos]# sesearch -s foreman_rails_t --all | grep 'allow foreman_rails_t ht'
allow foreman_rails_t http_port_t : tcp_socket { name_bind name_connect } ;
allow foreman_rails_t http_cache_port_t : tcp_socket name_connect ;

Thank you for reporting this. We failed to update the katello-selinux package in this RC to the correct version. Once we get it there I’ll update this thread and the release announcement. That should resolve your issues

2 Likes

Okay, sounds great!

katello-selinux-3.3.1 is now available in the 3.16 repos (technically it’s provided by the foreman repo…)

yum upgrade katello-selinux
foreman-maintain service restart

Let us know if that fixes the problem (or not)!

@Jonathon_Turel it doesn’t look like it worked for me. It seems like it’s an issue with celery_t and foreman_var_run_t. Please see relevant information below and let me know if you need any other logs or anything.

/var/log/messages output:

Jul 30 11:20:14 **REDACTED** setroubleshoot: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Jul 30 11:20:14 **REDACTED** python: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed getattr access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

Jul 30 11:20:17 **REDACTED** setroubleshoot: failed to retrieve rpm info for /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid

Jul 30 11:20:17 **REDACTED** setroubleshoot: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37

Jul 30 11:20:17 **REDACTED** python: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed getattr access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37:

[root@**REDACTED** repos]# sealert -l bda67965-d6ee-427c-915f-1c46a3cd9c37
SELinux is preventing /usr/bin/python2.7 from getattr access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed getattr access on the productid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f9
                              62b8615f4d8e64a0/productid [ file ]
Source                        celery
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          **REDACTED**
Source RPM Packages           python-2.7.5-88.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **REDACTED**
Platform                      Linux **REDACTED** 3.10.0-1127.18.2.el7.x86_64 #1 SMP
                              Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64
Alert Count                   3919
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-30 11:20:13 MDT
Local ID                      bda67965-d6ee-427c-915f-1c46a3cd9c37

Raw Audit Messages
type=AVC msg=audit(1596129613.268:517): avc:  denied  { getattr } for  pid=3010 comm="celery" path="/var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid" dev="dm-4" ino=187263120 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1596129613.268:517): arch=x86_64 syscall=stat success=no exit=EACCES a0=309fda0 a1=7fffcf89ee80 a2=7fffcf89ee80 a3=9 items=1 ppid=1877 pid=3010 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=celery exe=/usr/bin/python2.7 subj=system_u:system_r:celery_t:s0 key=(null)

type=CWD msg=audit(1596129613.268:517): cwd=/run/pulp

type=PATH msg=audit(1596129613.268:517): item=0 name=/var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid inode=187263120 dev=fd:04 mode=0100644 ouid=48 ogid=48 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: celery,celery_t,foreman_var_run_t,file,getattr

/var/log/messages output:

Jul 30 11:20:23 **REDACTED** setroubleshoot: failed to retrieve rpm info for /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid

Jul 30 11:20:23 **REDACTED** setroubleshoot: SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid. For complete SELinux messages run: sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64

Jul 30 11:20:23 **REDACTED** python: SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that celery should be allowed read access on the productid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'celery' --raw | audit2allow -M my-celery#012# semodule -i my-celery.pp#012

sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64:

[root@**REDACTED** repos]# sealert -l 81093daa-7c1a-4802-8be0-e42521a56e64
SELinux is preventing celery from read access on the file /var/lib/pulp/content/units/yum_repo_metadata_file/db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f962b8615f4d8e64a0/productid.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that celery should be allowed read access on the productid file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'celery' --raw | audit2allow -M my-celery
# semodule -i my-celery.pp


Additional Information:
Source Context                system_u:system_r:celery_t:s0
Target Context                system_u:object_r:foreman_var_run_t:s0
Target Objects                /var/lib/pulp/content/units/yum_repo_metadata_file
                              /db/0e3e543a664869128cf8abb546ba521ec7775cb001e4f9
                              62b8615f4d8e64a0/productid [ file ]
Source                        celery
Source Path                   celery
Port                          <Unknown>
Host                          **REDACTED**
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-266.el7_8.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     **REDACTED**
Platform                      Linux **REDACTED** 3.10.0-1127.18.2.el7.x86_64 #1 SMP
                              Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64
Alert Count                   113
First Seen                    2020-07-22 14:54:48 MDT
Last Seen                     2020-07-30 11:20:13 MDT
Local ID                      81093daa-7c1a-4802-8be0-e42521a56e64

Raw Audit Messages
type=AVC msg=audit(1596129613.268:518): avc:  denied  { read } for  pid=3010 comm="celery" name="productid" dev="dm-4" ino=187263120 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=0


Hash: celery,celery_t,foreman_var_run_t,file,read

sesearch -s celery_t --all | grep ‘allow celery_t’:

[root@**REDACTED** repos]# sesearch -s celery_t --all | grep 'allow celery_t'
allow celery_t celery_t : sem { create destroy getattr setattr read write associate unix_read unix_write } ;
allow celery_t default_context_t : dir { ioctl read getattr lock search open } ;
allow celery_t rpm_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t base_ro_file_type : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t httpd_sys_rw_content_t : file { ioctl read write create getattr setattr lock relabelto append unlink link rename open } ;
allow celery_t locale_t : lnk_file { read getattr } ;
allow celery_t pulp_var_run_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t var_run_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t cgroup_t : filesystem getattr ;
allow celery_t security_t : dir { ioctl read getattr lock search open } ;
allow celery_t celery_t : peer recv ;
allow celery_t debugfs_t : filesystem getattr ;
allow celery_t fs_t : filesystem getattr ;
allow celery_t tmpfs_t : dir { write getattr add_name remove_name search open } ;
allow celery_t celery_t : capability net_bind_service ;
allow celery_t node_t : tcp_socket node_bind ;
allow celery_t pulp_cert_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : association sendto ;
allow celery_t bin_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t pulp_var_cache_t : file { ioctl read write create getattr setattr lock relabelfrom append map unlink link rename open } ;
allow celery_t var_t : dir { getattr search open } ;
allow celery_t celery_t : netlink_route_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;
allow celery_t celery_t : dir { ioctl read getattr lock search open } ;
allow celery_t bin_t : dir { ioctl read getattr lock search open } ;
allow celery_t locale_t : file { ioctl read getattr lock map open } ;
allow celery_t pulp_tmp_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t tmp_t : lnk_file { read getattr } ;
allow celery_t pulp_var_cache_t : dir { ioctl read write create getattr setattr lock relabelfrom unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t port_type : tcp_socket { name_bind name_connect } ;
allow celery_t pulp_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t celery_t : process { fork sigchld sigkill sigstop signull signal getsched setsched getcap setrlimit execmem } ;
allow celery_t httpd_sys_content_t : dir { ioctl read getattr lock search open } ;
allow celery_t pulp_var_run_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t sysfs_t : dir { read getattr search open } ;
allow celery_t security_t : security check_context ;
allow celery_t gpg_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t proc_t : dir { getattr search open } ;
allow celery_t ldconfig_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t httpd_sys_rw_content_t : fifo_file { getattr unlink } ;
allow celery_t security_t : lnk_file { read getattr } ;
allow celery_t httpd_sys_content_t : lnk_file { read getattr } ;
allow celery_t security_t : file { ioctl read write getattr lock append map open } ;
allow celery_t pstore_t : filesystem getattr ;
allow celery_t tmpfs_t : file { ioctl read write create getattr map unlink link execute execute_no_trans open } ;
allow celery_t etc_t : dir { getattr search open } ;
allow celery_t pulp_var_cache_t : lnk_file { read create getattr relabelfrom unlink } ;
allow celery_t sysfs_t : filesystem getattr ;
allow celery_t cert_t : file { ioctl read getattr lock open } ;
allow celery_t celery_exec_t : file { ioctl read getattr lock map execute execute_no_trans entrypoint open } ;
allow celery_t urandom_device_t : chr_file { ioctl read getattr lock open } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t tmpfs_t : filesystem getattr ;
allow celery_t proc_net_t : file { ioctl read getattr lock open } ;
allow celery_t httpd_sys_rw_content_t : sock_file { getattr unlink } ;
allow celery_t httpd_sys_content_t : file { ioctl read getattr lock open } ;
allow celery_t celery_t : fifo_file { ioctl read write getattr lock append open } ;
allow celery_t httpd_sys_rw_content_t : lnk_file { ioctl read write create getattr setattr lock relabelto append unlink link rename } ;
allow celery_t device_t : dir { getattr search open } ;
allow celery_t hugetlbfs_t : filesystem getattr ;
allow celery_t default_context_t : file { ioctl read getattr lock open } ;
allow celery_t net_conf_t : file { ioctl read getattr lock open } ;
allow celery_t shell_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t proc_net_t : dir { ioctl read getattr lock search open } ;
allow celery_t passwd_file_t : file { ioctl read getattr lock open } ;
allow celery_t locale_t : dir { ioctl read getattr lock search open } ;
allow celery_t etc_t : lnk_file { read getattr } ;
allow celery_t celery_t : file { ioctl read write getattr lock append open } ;
allow celery_t bin_t : lnk_file { read getattr } ;
allow celery_t tmp_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t celery_t : key { view read write search link setattr create } ;
allow celery_t cert_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t cert_t : lnk_file { read getattr } ;
allow celery_t usr_t : dir { getattr search open } ;
allow celery_t pulp_cert_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t httpd_sys_rw_content_t : dir { ioctl read write create getattr setattr lock relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t device_t : filesystem getattr ;
allow celery_t selinux_config_t : dir { getattr search open } ;
allow celery_t usr_t : file map ;
allow celery_t devpts_t : filesystem getattr ;
allow celery_t celery_t : lnk_file { ioctl read getattr lock } ;
allow celery_t proc_net_t : lnk_file { read getattr } ;
allow celery_t celery_t : shm { create destroy getattr setattr read write associate unix_read unix_write lock } ;
allow celery_t celery_t : unix_dgram_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t puppet_etc_t : file { ioctl read getattr lock open } ;
allow celery_t puppet_etc_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t puppet_etc_t : file { write create getattr setattr open } ;
allow celery_t tmp_t : sock_file { write create unlink link } ;
allow celery_t puppet_etc_t : dir { getattr search open } ;
allow celery_t puppet_etc_t : dir { ioctl read getattr lock search open } ;
allow celery_t puppet_etc_t : dir { getattr search open } ;
allow celery_t puppet_etc_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t puppet_etc_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow celery_t puppet_etc_t : dir { ioctl read write getattr lock add_name remove_name search open } ;
allow celery_t puppet_etc_t : dir { read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : tcp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t var_t : dir write ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t bin_t : dir { getattr search open } ;
allow celery_t ssh_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t etc_t : dir { getattr search open } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown } ;
allow celery_t celery_t : unix_stream_socket { ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto } ;
allow celery_t rsync_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ;
allow celery_t celery_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow celery_t puppet_etc_t : lnk_file { read create getattr unlink } ;
allow celery_t bin_t : lnk_file { read getattr } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;
allow celery_t celery_t : udp_socket { ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown } ;

Thanks for all of the details! I’m seeing a very different error in my own 3.16 environment. Filed an issue so we can take a look at this soon: Bug #30534: 'hammer repository export' broken in 3.16 - Katello - Foreman

To clarify, was this an upgrade from 3.15 or a fresh install onto 3.16?

@Justin_Sherrill it was an upgrade.