Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1172842 - Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled
Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
Unspecified
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: Unused
Assigned To: Lukas Zapletal
Elyézer Rezende
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-10 16:31 EST by Jason Montleon
Modified: 2017-02-23 15:44 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-12 01:20:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
foreman-debug (289.40 KB, application/x-xz)
2014-12-10 16:31 EST, Jason Montleon 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 8683 None None None 2016-04-22 10:54 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Jason Montleon 2014-12-10 16:31:37 EST 
Created attachment 966978 [details]
foreman-debug

Description of problem:
katello-installer fails if selinux is enabled because httpd can't bind to port 5000

Version-Release number of selected component (if applicable):
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-client-1.0-1.noarch
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-1.7.0.0-1.2.el6_6sat.noarch
foreman-compute-1.7.0.0-1.2.el6_6sat.noarch
foreman-gce-1.7.0.0-1.2.el6_6sat.noarch
foreman-libvirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-ovirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-postgresql-1.7.0.0-1.2.el6_6sat.noarch
foreman-proxy-1.7.0.1-1.el6_6sat.noarch
foreman-selinux-1.7.0.2-1.el6_6sat.noarch
foreman-vmware-1.7.0.0-1.2.el6_6sat.noarch
katello-2.1.0-1.el6_6sat.noarch
katello-certs-tools-2.1.0-1.el6_6sat.noarch
katello-default-ca-1.0-1.noarch
katello-installer-2.1.1-1.el6_6sat.noarch
katello-server-ca-1.0-1.noarch
pulp-katello-0.3-4.el6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2-2.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-1.4.1-2.el6_6sat.noarch
ruby193-rubygem-foreman_docker-0.2.0-2.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.5-2.el6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.10-3.el6_6sat.noarch
ruby193-rubygem-katello-2.1.0.6-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.3-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3-4.el6_6sat.noarch
rubygem-hammer_cli_katello-0.0.6-1.el6_6sat.noarch


How reproducible:
Always, both on RHEL 6.6 and RHEL 7.0

Steps to Reproduce:
1. Install RHEL 6.6 or 7.0
2. install katello
3. run katello-installer with selinux-enabled

Actual results:
install fails

Expected results:
install succeeds

Additional info:
error:
type=AVC msg=audit(1418243650.344:259): avc:  denied  { name_bind } for  pid=9565 comm="httpd" src=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
Comment 2 Lukas Zapletal 2014-12-12 11:18:41 EST 
I don't get why httpd process would bind port 5000. Is this pulp related? I need to investigate and reproduce on Moday, was not able to find what the 5000 port is used for.
Comment 3 Jason Montleon 2014-12-12 11:25:00 EST 
Looks like it is for crane.

https://github.com/Katello/katello-installer
/blob/91002035cf1f3efc4794e32cd966dfb3ea244cc1/modules/crane/manifests/params.pp
Comment 4 Lukas Zapletal 2014-12-12 11:32:35 EST 
Jason,

I am introducing downstream.te.in in the downstream repo and making this workaround:

# Pulp crane support
ifdef(`distro_rhel6', `
    corenet_tcp_bind_commplex_port(passenger_t)
',`
    corenet_tcp_bind_commplex_main_port(passenger_t)

')

50add4b..e8e7419  SATELLITE-6.1.0 -> SATELLITE-6.1.0

I haven't scratchbuild this yet, maybe there is a typo. If you still have a box, can you give it a try? I need to setup my sat6 instances on Monday, not there yet.

The patch must go into pulp-selinux package upstream.
Comment 5 Lukas Zapletal 2014-12-12 11:36:57 EST 
Oh I see its a katello installer configuration, then it must go into foreman-selinux package. We carry those. Will do that. http://projects.theforeman.org/issues/8683
Comment 6 Justin Sherrill 2014-12-12 12:47:11 EST 
lzap, can we get this upstream as well in foreman-selinux?  (or create a katello-selinux if needed).

We can't make the tests upstream use selinux until that happens.
Comment 7 Jason Montleon 2014-12-12 15:49:02 EST 
Do I misread it or will this only fix RHEL 6? It is an issue on RHEL 7 as well.
Comment 8 Justin Sherrill 2014-12-13 00:23:26 EST 
Lukas:  Ah, just saw you statement "The patch must go into pulp-selinux package upstream."

I chatted with them and they do not provide an selinux policy on purpose for this for crane since its a 'deployment decision'.  We might could argue back if you feel it should be in pulp-selinux, but it seems as though the pulp team has no desire for it to be.
Comment 9 Lukas Zapletal 2014-12-15 10:45:46 EST 
Yes, sorry for the confusion. It's on our side. See my comment 5.
Comment 10 Lukas Zapletal 2015-01-26 11:26:42 EST 
Jason the upstream patch has moved, it's now in the newly created katello-selinux repository:

https://github.com/Katello/katello-selinux/pull/1

If you want to avoid the new package for 6.1, I can send all the patches into the downstream.te.in file. This is all about cleaning our upstream code.
Comment 14 Elyézer Rezende 2015-02-13 10:07:33 EST 
Was also tested installation from ISO
Comment 15 Elyézer Rezende 2015-02-13 11:12:01 EST 
Missed on last comment, this bug was verified on Satellite-6.1.0-RHEL-${OS_VERSION}-20150210.0.
Comment 16 Bryan Kearney 2015-08-11 09:27:03 EDT 
This bug is slated to be released with Satellite 6.1.
Comment 17 errata-xmlrpc 2015-08-12 01:20:39 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.