Bug 1164164

Summary: Setting a katello-proxy-url on RHEL7 in enforcing mode causes AVC denials: name_connect
Product: Red Hat Satellite Reporter: Ivan Necas <inecas>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Elyézer Rezende <erezende>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.5CC: bbuckingham, cwelton, erezende, jmontleo, michele, mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9216
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:19:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ivan Necas 2014-11-14 08:53:07 UTC 
Description of problem:
when setting up satellite to use proxy for communication, it
fails to use the proxy due to selinux issues


    type=AVC msg=audit(1412854812.878:760): avc:  denied  { name_connect } for  pid=12176 comm="ruby" dest=3128 scontext=system_u:system_r:passenger_t:

It does so for 3128 as well as 8080 port

Version-Release number of selected component (if applicable):

satellite-6.0.5
RHEL 7.0

How reproducible:
Always

Steps to Reproduce:
1. set up local squid (yum install -y squid; service squid start)
2. katello-installer --katello-proxy-url=http://localhost --katello-proxy-port=3128
3. katello-service restart
4. import manifest
5. try to enable some Red Hat repository

Actual results:
Fails on permission denied, AVC messages in audit.log

Expected results:
Everything works, the connection to the proxy is allowed.
Comment 2 Lukas Zapletal 2014-11-14 09:26:10 UTC 
The workaround is to allow connects to the 8080 port.

Solution: Introduce new boolean for this.
Comment 4 Lukas Zapletal 2015-02-04 14:32:34 UTC 
Correcting status, sorry about that :-)
Comment 10 Elyézer Rezende 2015-04-06 14:40:49 UTC 
Verified on: Satellite-6.1.0-RHEL-7-20150331.1

Steps to verify:

1. Installed Satellite pointing to an external squid proxy on port 3128.
2. Imported a manifest
3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it.
4. Watched audit.log for AVC and no AVC was emitted during the process:

# tail -f /var/log/audit/audit.log | grep AVC
^C
#
Comment 11 Bryan Kearney 2015-08-11 13:31:02 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 12 errata-xmlrpc 2015-08-12 05:19:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592