Bug 1131424

Summary: installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not load data from https://<fqdn>"
Product: Red Hat Satellite Reporter: Jan Hutař <jhutar>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: bbuckingham, jmontleo, omaciel, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:27:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1130086    
Bug Blocks:    

Description Jan Hutař 2014-08-19 09:02:54 UTC 
Description of problem:
Installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not load data from https://<fqdn>"


Version-Release number of selected component (if applicable):
Satellite-6.0.4-RHEL-7-20140813.2


How reproducible:
always


Steps to Reproduce:
1. # katello-installer --foreman-admin-email 'root@localhost' --foreman-admin-username '<user>' --foreman-admin-password '<pass>' --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip29> --capsule-dns-forwarders <ip19> --capsule-dns-forwarders <ip160> --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <hash> --capsule-pulp false


Actual results:
Lot of AVCs and configuration fails.


Expected results:
No failures


Additional info:
# rpm -qa | grep selinux
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch
candlepin-selinux-0.9.23-1.el7.noarch
foreman-selinux-1.6.0.6-1.el7sat.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7.noarch
pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
libselinux-utils-2.2.2-6.el7.x86_64
# cat /var/log/audit/audit.log | audit2allow 
#============= passenger_t ==============
allow passenger_t fs_t:filesystem getattr;
allow passenger_t httpd_t:unix_stream_socket getattr;
allow passenger_t initrc_t:unix_stream_socket connectto;
allow passenger_t initrc_var_run_t:file { read getattr unlink open ioctl };
allow passenger_t postgresql_t:unix_stream_socket connectto;
allow passenger_t postgresql_var_run_t:dir search;
allow passenger_t postgresql_var_run_t:sock_file write;
allow passenger_t puppet_etc_t:file { execute execute_no_trans };
allow passenger_t puppet_log_t:file write;
allow passenger_t puppet_var_lib_t:dir { relabelfrom relabelto create setattr };
allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };
allow passenger_t self:capability2 block_suspend;
allow passenger_t self:process { execmem getsession };
allow passenger_t sysfs_t:dir read;
allow passenger_t sysfs_t:file { read getattr open };
 
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow passenger_t unreserved_port_t:tcp_socket name_connect;
allow passenger_t var_lib_t:file { read getattr open ioctl };
allow passenger_t var_lib_t:lnk_file read;
allow passenger_t var_log_t:file { write ioctl read open getattr append };
allow passenger_t var_run_t:file { read getattr open ioctl };
allow passenger_t var_run_t:sock_file write;
allow passenger_t websm_port_t:tcp_socket name_connect;

#============= qpidd_t ==============
allow qpidd_t passwd_file_t:file getattr;
Comment 2 RHEL Program Management 2014-08-19 09:13:25 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 4 Jan Hutař 2014-08-19 09:21:33 UTC 
As advised by lzap:

# semodule -l | grep foreman
# foreman-selinux-enable
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute consoletype_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type
# rpm -qa | grep selinux | grep -v -e libselinux -e selinux-policy
candlepin-selinux-0.9.23-1.el7.noarch
foreman-selinux-1.6.0.6-1.el7sat.noarch
pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
Comment 5 Lukas Zapletal 2014-08-19 09:30:35 UTC 
The compose is missing this patch in foreman-selinux.spec file:

https://github.com/theforeman/foreman-packaging/pull/308

The policy was not loaded, all the AVCs above are not relevant.

As a workaround use this build:

http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
Comment 6 Jan Hutař 2014-08-19 09:39:29 UTC 
This package resolves the issue:

# rpm -Uvh http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
Retrieving http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:foreman-selinux-1.7.0-0.develop.2################################# [ 50%]
Cleaning up / removing...
   2:foreman-selinux-1.6.0.6-1.el7sat ################################# [100%]
# foreman-selinux-enable
# echo $?
0
# semodule -l | grep foreman
foreman	1.7.0.0
Comment 10 Lukas Zapletal 2014-08-21 09:59:58 UTC 
Hello,

this has been reported as. I will implement a temporary fix in our policy.

https://bugzilla.redhat.com/show_bug.cgi?id=1130086
Comment 15 Lukas Zapletal 2014-08-29 08:09:29 UTC 
Jan, this bugzilla contains several denials. Can you specify what do you see?

Please paste output of the following commands in this order:

  rpm -q foreman-selinux selinux-policy
  getenforce
  ps auxZ | grep RackApp
  semodule -l | grep foreman
  foreman-selinux-enable
  foreman-selinux-disable
  foreman-selinux-enable
  foreman-selinux-relabel -v
  semanage boolean -l
  semanage fcontext -l
  sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a
  ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50
Comment 16 Og Maciel 2014-09-02 19:46:59 UTC 
VERIFIED by QE

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite/Satellite-6.0.4-RHEL-7-20140829.0

Packages:
======
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-6.el7sat.noarch
* foreman-1.6.0.42-1.el7sat.noarch
* foreman-compute-1.6.0.42-1.el7sat.noarch
* foreman-gce-1.6.0.42-1.el7sat.noarch
* foreman-libvirt-1.6.0.42-1.el7sat.noarch
* foreman-ovirt-1.6.0.42-1.el7sat.noarch
* foreman-postgresql-1.6.0.42-1.el7sat.noarch
* foreman-proxy-1.6.0.30-1.el7sat.noarch
* foreman-selinux-1.6.0.14-1.el7sat.noarch
* foreman-vmware-1.6.0.42-1.el7sat.noarch
* katello-1.5.0-30.el7sat.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el7sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-4.el7sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
* pulp-server-2.4.1-0.5.rc1.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-12.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
Comment 17 Bryan Kearney 2014-09-11 12:27:58 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.