Bug 1531075
| Summary: | passenger connection to container_port_t is denied | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Pramuk <lpramuk> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED DUPLICATE | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.0 | CC: | abalakht, bbuckingham, lzap |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-01-08 11:04:25 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 1478966 *** |
Description of problem: When you try to access docker CR via TCP you get "Permission denied - connect(2) for 127.0.0.1:2375 (Errno::EACCES)" The passenger connection is denied producing following AVC: type=AVC msg=audit(1514988360.074:3530): avc: denied { name_connect } for pid=5052 comm="diagnostic_con*" dest=2375 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:container_port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): satellite-6.3.0-23.0.el7sat.noarch foreman-selinux-1.15.5-1.el7sat.noarch How reproducible: deterministic Steps to Reproduce: 1. Have a Satellite and Docker CR accessible via TCP 2. If the CR is external install also container-selinux 3. Due to BZ #1527052 (slated for rhel-7.5.0) assign 2375/tcp port to container_port_t label since the label is missing any port assigments # semanage port -a -t container_port_t -p tcp 2375 You have to have the port assigned to the container_port_t label # semanage port -l |grep -e container container_port_t tcp 2375 4. Try to connect to localhost:2375 or external_docker_host:2375 (by "Test Connection" in UI) Actual results: connection denied Expected results: connection succeeds Additional info: The boolean passenger_can_connect_docker_tcp that should be related is turned on still connection is denied passenger_can_connect_all (off , off) Allow passenger to can connect all passenger_can_connect_docker_unix (on , on) Allow passenger to can connect docker unix passenger_can_connect_docker_tcp (on , on) Allow passenger to can connect docker tcp