Bug 692679

Summary: web ui inaccessible with selinux enforcing
Product: [Retired] CloudForms Cloud Engine Reporter: Dave Johnson <dajohnso>
Component: aeolus-conductorAssignee: Francesco Vollero <fvollero>
Status: CLOSED ERRATA QA Contact: Dave Johnson <dajohnso>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: cpelland, deltacloud-maint, mgrepl, morazi, whayutin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 21:41:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dave Johnson 2011-03-31 20:17:43 UTC 
Description of problem:

Pretty sure running selinux in permissive mode is meant to be a temporary workaround.  Pretty sure we do not want to release this way.  I ran across this on a reboot and after a discussion with Wes, this is the real issue.

snippet of errors in /var/log/audit/audit.log
================================================================
type=AVC msg=audit(1301601180.778:109017): avc:  denied  { name_connect } for  pid=1695 comm="httpd" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1301601180.778:109017): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7fe28ca35a48 a2=10 a3=7fff6996c47c items=0 ppid=1689 pid=1695 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
Comment 1 Mike Orazi 2011-09-20 21:03:58 UTC 
This may already be addressed for the conductor web ui, but let's verify.
Comment 2 Miroslav Grepl 2011-09-22 11:10:01 UTC 
There is a boolean

httpd_can_network_connect

which should allow this. Could you test it using

setsebool httpd_can_network_connect on
Comment 3 Francesco Vollero 2011-09-22 13:18:40 UTC 
This is an error generated from selinux policy for mod_proxy. So, before aeolus-configure was setting selinux as Miroslav said, now i don't know how is managed, but since we want to use Apache2 we need to set this boolean somehow.
Comment 4 wes hayutin 2011-09-28 16:40:05 UTC 
making sure all the bugs are at the right version for future queries
Comment 6 Dave Johnson 2011-12-12 21:00:57 UTC 
good 2 go with 

[root@qeblade29 ~]# rpm -qa | grep aeolus | sort
aeolus-all-0.7.0-4.el6.noarch
aeolus-conductor-0.7.0-4.el6.noarch
aeolus-conductor-daemons-0.7.0-4.el6.noarch
aeolus-conductor-doc-0.7.0-4.el6.noarch
aeolus-configure-2.4.0-3.el6.noarch
rubygem-aeolus-cli-0.2.0-3.el6.noarch
rubygem-aeolus-image-0.2.0-1.el6.noarch
Comment 9 errata-xmlrpc 2012-05-15 21:41:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html