1160796 – avc:denied when syncing repos with proxy

Bug 1160796 - avc:denied when syncing repos with proxy

Summary: avc:denied when syncing repos with proxy

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	2.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	2.5.0
Assignee:	Brian Bouterse
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-05 16:19 UTC by Preethi Thomas
Modified:	2014-11-24 21:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-24 21:33:53 UTC
Embargoed:

Attachments	(Terms of Use)

Description Preethi Thomas 2014-11-05 16:19:40 UTC

Description of problem:

avc:denied when syncing repos with proxy

Version-Release number of selected component (if applicable):
[root@cloud-qe-19 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.16.rc.el7.noarch
[root@cloud-qe-19 ~]# 


How reproducible:


Steps to Reproduce:
1.create a repo with proxy
2.with selinux enabled try to sync the repo
3.

Actual results:
[root@cloud-qe-19 ~]# setenforce 1
[root@cloud-qe-19 ~]# 
[root@cloud-qe-19 ~]# 
[root@cloud-qe-19 ~]# pulp-admin rpm repo sync run --repo-id pulp-unittest
+----------------------------------------------------------------------+
                Synchronizing Repository [pulp-unittest]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[-]
... failed

Cannot connect to proxy. Socket error: [Errno 13] Permission denied.


Task Failed

Importer indicated a failed response

[root@cloud-qe-19 ~]# 


Expected results:


Additional info:

From the audit.log

type=AVC msg=audit(1415204202.934:1067): avc:  denied  { name_connect } for  pid=3012 comm="celery" dest=8080 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1415204202.934:1067): arch=c000003e syscall=42 success=no exit=-13 a0=20 a1=7fede27f9a30 a2=10 a3=e8 items=0 ppid=27918 pid=3012 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="celery" exe="/usr/bin/python2.7" subj=system_u:system_r:celery_t:s0 key=(null)

Comment 1 Brian Bouterse 2014-11-06 16:32:06 UTC

PR available at:  https://github.com/pulp/pulp/pull/1289

Comment 2 Brian Bouterse 2014-11-06 16:39:26 UTC

Merged to 2.5-testing -> 2.5-dev -> master

Comment 4 Preethi Thomas 2014-11-17 17:03:30 UTC

verified

[root@cloud-qe-21 ~]# rpm -qa pulp-server
pulp-server-2.5.0-0.18.rc.el6.noarch
[root@cloud-qe-21 ~]# 

[root@cloud-qe-21 ~]# pulp-admin rpm repo create --repo-id global-proxy --feed http://yum.puppetlabs.com/el/7/dependencies/x86_64/  --proxy-host http://cloud-qe-1-vm-1.idmqe.lab.eng.bos.redhat.com --proxy-port 3128
Successfully created repository [global-proxy]

[root@cloud-qe-21 ~]# pulp-admin rpm repo sync run  --repo-id global-proxy
+----------------------------------------------------------------------+
                Synchronizing Repository [global-proxy]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[|]
... completed

Downloading repository content...
[==================================================] 100%
RPMs:       10/10 items
Delta RPMs: 0/0 items

... completed

Downloading distribution files...
[==================================================] 100%
Distributions: 0/0 items
... completed

Importing errata...
[-]
... completed

Importing package groups/categories...
[-]
... completed


Task Succeeded



Initializing repo metadata
[-]
... completed

Publishing Distribution files
[-]
... completed

Publishing RPMs
[==================================================] 100%
10 of 10 items
... completed

Publishing Delta RPMs
... skipped

Publishing Errata
[-]
... completed

Publishing Comps file
[-]
... completed

Publishing Metadata.
[-]
... completed

Closing repo metadata
[-]
... completed

Generating sqlite files
... skipped

Publishing files to web
[-]
... completed

Writing Listings File
[-]
... completed


Task Succeeded


[root@cloud-qe-21 ~]# getenforce
Enforcing
[root@cloud-qe-21 ~]#

Note You need to log in before you can comment on or make changes to this bug.