Bug 1202994

Summary: SELinux prevents from remote SMTP delivery
Product: Red Hat Satellite Reporter: Og Maciel <omaciel>
Component: UsabilityAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: jmontleo, lzap, mmccune, omaciel, stbenjam, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9825
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:30:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Mail Preference
none
foreman-debug none

Description Og Maciel 2015-03-17 20:51:02 UTC 
Created attachment 1002957 [details]
Mail Preference

Description of problem:

I noticed that whenever I attempt to publish or promote a content view (composite or non-composite, with yUM or Docker based repos), there is a failed attempt to send an email notification:

==> /var/log/foreman/production.log <==
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/_host_dashboard.html.erb (0.6ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.html.erb (2.8ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.text.erb (1.4ms)
2015-03-17 15:10:11 [I]
Sent mail to omaciel@<EDITED> (12ms)
2015-03-17 15:10:11 [W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

My system is configured to use an smtp server (I will share my configuration in a second), with iptables running and selinux in enforcing mode.


Version-Release number of selected component (if applicable):

* Satellite-6.1.0-RHEL-7-20150311.1

How reproducible:


Steps to Reproduce:
1. Update your Admin user account with a valid email address 
2. Configure your Mail Preferences as per the attached screenshot)
3. Create a custom product and YUM-based repo and sync it
4. Create a content view (non-composite) and add the repo from above
5. Publish this content view while watching /var/log/foreman/production.log

Actual results:

[W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

Expected results:


Additional info:
Comment 5 Og Maciel 2015-03-18 14:53:12 UTC 
Created attachment 1003278 [details]
foreman-debug

Attaching foreman-debug log.
Comment 6 Og Maciel 2015-03-18 15:34:29 UTC 
==> /var/log/audit/audit.log <==
type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1426692731.477:3064): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7faa0d2c1cf0 a2=10 a3=3 items=0 ppid=1 pid=14334 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
Comment 7 Stephen Benjamin 2015-03-18 15:35:11 UTC 
It's selinux, passenger needs ability to talk to 25

type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Comment 8 Lukas Zapletal 2015-03-18 16:23:22 UTC 
Interesting, we should have it in our policy already.

Workaround is to allow this port or permissive.
Comment 10 Lukas Zapletal 2015-03-19 10:18:53 UTC 
I think we only allow local send, if satellite6 was configured with a remote MTA via SMTP protocol, that will likely gets blocked.

https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/blob/SATELLITE-6.1.0/foreman.te#L269
Comment 14 Mike McCune 2015-03-20 21:46:03 UTC 
moving back to MODIFIED as we had to roll this back for :

https://bugzilla.redhat.com/show_bug.cgi?id=1204301
Comment 15 Lukas Zapletal 2015-03-23 11:38:33 UTC 
Please apply the same patch, this one did not caused the getattr issue.
Comment 17 sthirugn@redhat.com 2015-03-25 20:44:58 UTC 
This same error happens when the Puppet error state notification email is triggered.

Note to QE: 
Check notification emails for 
1. Publish
2. promote
3. Puppet error state
Comment 18 Og Maciel 2015-03-25 22:39:56 UTC 
Installed S8C1 and so far:

* Sync of RH repos sent me a notify email (SATELLITE SYNC SUMMARY)
Comment 19 Og Maciel 2015-03-26 00:43:30 UTC 
* Publishing Content View sent me a notify email (SATELLITE PROMOTION SUMMARY)
Comment 20 Og Maciel 2015-03-26 00:49:51 UTC 
* Promoting Content View sent me a notify email (SATELLITE PROMOTION SUMMARY, same as Publishing it)
Comment 21 Og Maciel 2015-03-26 12:25:41 UTC 
* Today I received a Puppet Summary Report email
Comment 22 Og Maciel 2015-03-26 12:26:33 UTC 
* Received a SATELLITE HOST ADVISORY email
Comment 23 Og Maciel 2015-03-26 21:50:41 UTC 
Verified by QE on Satellite-6.1.0-RHEL-7-20150324.0 build.
Comment 24 Bryan Kearney 2015-08-11 13:22:52 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 25 errata-xmlrpc 2015-08-12 05:30:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592