Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1164164 - Setting a katello-proxy-url on RHEL7 in enforcing mode causes AVC denials: name_connect
Setting a katello-proxy-url on RHEL7 in enforcing mode causes AVC denials: na...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
6.0.5
Unspecified Unspecified
unspecified Severity high (vote)
: Beta
: Unused
Assigned To: Lukas Zapletal
Elyézer Rezende
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-14 03:53 EST by Ivan Necas
Modified: 2017-02-23 15:48 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-12 01:19:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 9216 None None None 2016-04-22 12:07 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Ivan Necas 2014-11-14 03:53:07 EST 
Description of problem:
when setting up satellite to use proxy for communication, it
fails to use the proxy due to selinux issues


    type=AVC msg=audit(1412854812.878:760): avc:  denied  { name_connect } for  pid=12176 comm="ruby" dest=3128 scontext=system_u:system_r:passenger_t:

It does so for 3128 as well as 8080 port

Version-Release number of selected component (if applicable):

satellite-6.0.5
RHEL 7.0

How reproducible:
Always

Steps to Reproduce:
1. set up local squid (yum install -y squid; service squid start)
2. katello-installer --katello-proxy-url=http://localhost --katello-proxy-port=3128
3. katello-service restart
4. import manifest
5. try to enable some Red Hat repository

Actual results:
Fails on permission denied, AVC messages in audit.log

Expected results:
Everything works, the connection to the proxy is allowed.
Comment 2 Lukas Zapletal 2014-11-14 04:26:10 EST 
The workaround is to allow connects to the 8080 port.

Solution: Introduce new boolean for this.
Comment 4 Lukas Zapletal 2015-02-04 09:32:34 EST 
Correcting status, sorry about that :-)
Comment 10 Elyézer Rezende 2015-04-06 10:40:49 EDT 
Verified on: Satellite-6.1.0-RHEL-7-20150331.1

Steps to verify:

1. Installed Satellite pointing to an external squid proxy on port 3128.
2. Imported a manifest
3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it.
4. Watched audit.log for AVC and no AVC was emitted during the process:

# tail -f /var/log/audit/audit.log | grep AVC
^C
#
Comment 11 Bryan Kearney 2015-08-11 09:31:02 EDT 
This bug is slated to be released with Satellite 6.1.
Comment 12 errata-xmlrpc 2015-08-12 01:19:08 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.