Bug 1317011
| Summary: | connection to docker compute resource is refused with 'Permission denied - connect(2)' | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2.0 | CC: | bbuckingham, ehelms, lpramuk, lzap, omaciel, stbenjam, xdmoon |
| Target Milestone: | Unspecified | Keywords: | Regression, Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/13502 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-27 09:06:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1115190 | ||
Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials:
# audit2allow -a
#============= passenger_t ==============
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file { read getattr open };
#!!!! This avc can be allowed using one of the these booleans:
# nis_enabled, passenger_can_connect_all
allow passenger_t unreserved_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
# nis_enabled, passenger_can_connect_all
allow passenger_t zarafa_port_t:tcp_socket name_connect;
cat /etc/redhat-release rpm -q docker-selinux Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency. # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) # rpm -q docker-selinux docker-selinux-1.8.2-8.el7.x86_64 # getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_docker_tcp --> on passenger_can_connect_docker_unix --> on passenger_can_connect_http_proxy --> on passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_connect_smtp --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker <empty> ------------------------------- With Satellite 6.1.7 @RHEL7.2 it works: # getsebool -a |grep passenger passenger_can_connect_all --> off passenger_can_connect_ldap --> on passenger_can_connect_libvirt --> on passenger_can_connect_openstack --> on passenger_can_spawn_ssh --> on passenger_run_foreman --> on passenger_run_puppetmaster --> on # semanage port -l | grep docker docker_port_t tcp 2375-2376 During Satellite installation there is related error: ... Installing : foreman-selinux-1.11.0-1.el7sat.noarch 468/580 ValueError: Type docker_port_t is invalid, must be a port type warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1 Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch Installing : katello-selinux-3.0.1.0-1. [ ] 469/580 ... *** Bug 1319294 has been marked as a duplicate of this bug. *** FailedQA. @Sat6.2.0-Beta-SNAP5 foreman-selinux-1.11.0-1.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64 *** Bug 1321142 has been marked as a duplicate of this bug. *** VERIFIED. @Sat6.2.0-Beta-Snap6 foreman-selinux-1.11.0.0-2.el7sat.noarch docker-selinux-1.8.2-10.el7.x86_64 Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds. Connection to a remote docker (http://<FQDN>:2375) is also successful. Yay. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500 |
Description of problem: Test Connection to local docker compute resource unix:///var/run/docker.sock is refused with 'Permission denied - connect(2)' Version-Release number of selected component (if applicable): @Sat6.2.0-Beta-SNAP2 How reproducible: 100% Steps to Reproduce: 1. prepare docker host on sat6 machine (install katello certs, add foreman to docker grp, set docker to run under docker grp, restart docker) 2. UI: navigate to Infrastructure > Compute resources > New compute resource 3. UI: on Compute resource tab set URL as 'unix:///var/run/docker.sock' and hit Test Connection and error message is displayed: "Permission denied - connect(2) for /var/run/docker.sock (Errno::EACCES)" Actual results: test connection fails with error Expected results: test connection is successful Additional info: In behind of refused connection there are SELinux denials avc: denied { connectto } for pid=72737 comm="diagnostic_con*" path="/run/docker.sock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket # audit2allow -a #============= passenger_t ============== #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' allow passenger_t docker_t:unix_stream_socket connectto; allow passenger_t hwdata_t:file { read getattr open };