Bug 1317011
Summary: | connection to docker compute resource is refused with 'Permission denied - connect(2)' | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2.0 | CC: | bbuckingham, ehelms, lpramuk, lzap, omaciel, stbenjam, xdmoon |
Target Milestone: | Unspecified | Keywords: | Regression, Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://projects.theforeman.org/issues/13502 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-27 09:06:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1115190 |
Description
Lukas Pramuk
2016-03-11 17:10:25 UTC
Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials: # audit2allow -a #============= passenger_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow passenger_t docker_t:unix_stream_socket connectto; allow passenger_t hwdata_t:dir search; allow passenger_t hwdata_t:file { read getattr open }; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, passenger_can_connect_all allow passenger_t unreserved_port_t:tcp_socket name_connect; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, passenger_can_connect_all allow passenger_t zarafa_port_t:tcp_socket name_connect; cat /etc/redhat-release rpm -q docker-selinux Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency. # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # rpm -q docker-selinux docker-selinux-1.8.2-8.el7.x86_64 # getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_docker_tcp --> on passenger_can_connect_docker_unix --> on passenger_can_connect_http_proxy --> on passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_connect_smtp --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker <empty> ------------------------------- With Satellite 6.1.7 @RHEL7.2 it works: # getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker docker_port_t tcp 2375-2376 During Satellite installation there is related error: ... Installing : foreman-selinux-1.11.0-1.el7sat.noarch 468/580 ValueError: Type docker_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch Installing : katello-selinux-3.0.1.0-1. [ ] 469/580 ... *** Bug 1319294 has been marked as a duplicate of this bug. *** FailedQA. @Sat6.2.0-Beta-SNAP5 foreman-selinux-1.11.0-1.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64 *** Bug 1321142 has been marked as a duplicate of this bug. *** VERIFIED. @Sat6.2.0-Beta-Snap6 foreman-selinux-1.11.0.0-2.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64 Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds. Connection to a remote docker (http://<FQDN>:2375) is also successful. Yay. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500 |