Bug 1177377
| Summary: | Satellite 6.1 does not work with http proxy due to SELinux denials | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Dave Sullivan <dsulliva> |
| Component: | Installation | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Elyézer Rezende <erezende> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.0.6 | CC: | bbuckingham, chrobert, cwelton, erezende, jswensso, kshirsal, lzap, m.ketchion, mmccune, sauchter, swadeley |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
Satellite 6 SELinux policy prevents from connecting to unknown ports.
Consequence:
Since there are no SELinux booleans to add rules for communication through http(s) proxy, there is no way of configuring Satellite with such a proxy.
Fix:
Depending on the target http(s) proxy port (usually 3128 or 8181) assign the required port to the foreman_proxy_port_t SELinux port type. Depending on the port number it must be either added (-a) or modified (-m).
semanage port -a -t foreman_proxy_port_t -p tcp 8181
semanage port -m -t foreman_proxy_port_t -p tcp 3128
No restart is needed, Satellite will be instantly allowed to do connections.
Result:
SELinux will allow communication on desired TCP ports.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-12 05:21:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release. I agree we should set this. Since Foreman does not need HTTP proxies and we don't provide any options, this is katello-installer task to set the SELinux appropriately. Resetting the component to the Installer. The goal is really only to allow HTTP proxy destination port in SELinux in Puppet. Not sure about the priority tho. Added doc text for Release Notes. *** Bug 1191299 has been marked as a duplicate of this bug. *** If you re-use a port which is already assigned in selinux policy (such as 8080) then you need to "modify" rather than add the new port # semanage port -m -t foreman_proxy_port_t -p tcp 8080 Good point, reworded the doco text. Verified on: Satellite-6.1.0-RHEL-7-20150331.1 Steps to verify: 1. Installed Satellite pointing to an external squid proxy on port 3128. 2. Imported a manifest 3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it. 4. Watched audit.log for AVC and no AVC was emitted during the process: # tail -f /var/log/audit/audit.log | grep AVC ^C # This bug is slated to be released with Satellite 6.1. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: On the RPMs tab I expand Red Hat Enterprise Linux Server, that then lists a bunch of repository sets. If I click the expand allow to the left of any of the repository sets it sits there for a while and then errors ... "Permission denied - connect(2)" If I click for more info I see.. Actions::Katello::RepositorySet::ScanCdn xception: Errno::EACCES: Permission denied - connect(2) /var/log/foreman/production.log Processing by Katello::ProductsController#available_repositories as */* Parameters: {"content_id"=>"867", "_"=>"1419620712264", "id"=>"103"} Permission denied - connect(2) (Errno::EACCES) /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `initialize' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `open' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `block in connect' /opt/rh/ruby193/root/usr/share/ruby/timeout.rb:55:in `timeout' /opt/rh/ruby193/root/usr/share/ruby/timeout.rb:100:in `timeout' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `connect' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:756:in `do_start' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:745:in `start' /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/resources/cdn.rb:80:in `get' /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/util/cdn_var_substitutor.rb:154:in `get_substitutions_from' /var/log/audit/audit.log type=AVC msg=audit(1419621937.157:5357): avc: denied { name_connect } for pid=31266 comm="ruby" dest=8181 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1419621937.157:5357): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fe6909007e0 a2=10 a3=3 items=0 ppid=1 pid=31266 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) Version-Release number of selected component (if applicable): Satellite 6.0.6 on RHEL7 How reproducible: see above Actual results: see logs noted above Expected results: proxy installation should provide the correct selinux configuration to allow repositories to be accessed katello-installer --katello-proxy-password="" --katello-proxy-username="" --katello-proxy-url="http://dell-per720-1.gsslab.rdu2.redhat.com" --katello-proxy-port="8181" Additional info: Workaround for this is to semanage port -a -t foreman_proxy_port_t -p tcp 8181 http://projects.theforeman.org/projects/foreman/wiki/SELinux