interesting SELinux issue with post install script in ‘.spec’ file

My task was pretty straightforward: allow users to download the orcharhino documentation from their orcharhino server.
Right now, we’re providing the documentation on each instance at FQDN/or_doc.
As we’ve dropped the .pdf support, we want to provide a .zip archive of the html version documentation at FQDN/pub/orcharhino_documentation.zip for users to download.

Easy.
Let’s amend the .spec file as follows:

%post
mkdir -p /var/www/html/pub/
pushd /usr/share/doc/%{name}/html/
zip --recurse-paths /var/www/html/pub/orcharhino_documentation.zip .
popd

Side note: the pushd and popd is necessary because zip does not play nicely with –recurse-paths and –junk-paths together to prevent having the directory structure /usr/share/doc/%{name}/html in the zip archive.
mkdir and rm are necessary as I don’t know at which stage of the orcharhino installation process the documentation RPM package is actually installed and to make it upgrade safe.

This will work, surely.
But does it?

Navigating to my test deployment, I see there is no orcharhino_documentation.zip in /pub.
I ssh into the orcharhino server, cd to /var/www/html/pub which is symlinked to /pub , run ls -l et voilà:

-rw-r--r--. 1 apache apache 104091 Mar 1 08:49 bootstrap.py
-rw-r--r--. 2 apache apache 93821 Mar 1 08:49 bootstrap.pyc
-rw-r--r--. 2 apache apache 93821 Mar 1 08:49 bootstrap.pyo
lrwxrwxrwx. 1 root root 74 Mar 1 11:47 katello-ca-consumer-latest.noarch.rpm -> /var/
-rw-r--r--. 1 root root 8873 Mar 1 11:47 katello-ca-consumer- orcharhino.example.com-1.0-1.noarch.rpm
-rw-r--r--. 1 root root 9324 Mar 1 11:47 katello-ca-consumer- orcharhino.example.com-1.0-1.src.rpm
-rwxr-xr-x. 1 root root 21761 Mar 1 11:47 katello-rhsm-consumer
-rw-r--r--. 1 root root 8123 Mar 1 11:45 katello-server-ca.crt
-rw-r--r--. 1 root root 32720742 Mar 1 15:55 orcharhino_documentation.zip
-rw-r--r--. 1 root root 1670 Mar 1 12:10 pulp_deb_signing.key

To my surprise, the file is there.

I stare at the ls output for a good 20 minutes.
How can I see this file here, but neither in the browser nor using wget?

I ask a colleague and we stare at it some more, probably longer than we’re both comfortable to admit.
My colleague searches the httpd config files, I reload the page in my browser over and over and tail -f the various httpd log files.

tail -f /var/log/httpd/foreman_error.log finally brings some light into the darkness:

[Mon Mar 01 16:29:06.561442 2021] [core:error] [pid 16455] (13)Permission denied: [client
12.34.56.78:52509] AH00035: access to /pub/orcharhino_documentation.zip denied (filesystem path '/
var/www/html/pub/orcharhino_documentation.zip') because search permissions are missing on a
component of the path

something something BECAUSE PERMISSIONS

Using my favourite search engine, I quickly discover that it’s an SELinux issue.
From what I understand, SELinux limited access to the /var/www/html/pub/orcharhino_documentation.zip archive due to a missing SELinux context.
Running a simple restorecon orcharhino_documentation.zip restores the SELinux context and fixes my problem.

I add this to the .spec file and restart the test deployment.

hashtag surprises during “trivial” tickets and orcharhino development