Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1172842 - Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled
Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
Unspecified
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: Unused
Assigned To: Lukas Zapletal
Elyézer Rezende
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-10 16:31 EST by Jason Montleon
Modified: 2017-02-23 15:44 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-12 01:20:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
foreman-debug (289.40 KB, application/x-xz)
2014-12-10 16:31 EST, Jason Montleon
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 8683 None None None 2016-04-22 10:54 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Jason Montleon 2014-12-10 16:31:37 EST
Created attachment 966978 [details]
foreman-debug

Description of problem:
katello-installer fails if selinux is enabled because httpd can't bind to port 5000

Version-Release number of selected component (if applicable):
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-client-1.0-1.noarch
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-1.7.0.0-1.2.el6_6sat.noarch
foreman-compute-1.7.0.0-1.2.el6_6sat.noarch
foreman-gce-1.7.0.0-1.2.el6_6sat.noarch
foreman-libvirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-ovirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-postgresql-1.7.0.0-1.2.el6_6sat.noarch
foreman-proxy-1.7.0.1-1.el6_6sat.noarch
foreman-selinux-1.7.0.2-1.el6_6sat.noarch
foreman-vmware-1.7.0.0-1.2.el6_6sat.noarch
katello-2.1.0-1.el6_6sat.noarch
katello-certs-tools-2.1.0-1.el6_6sat.noarch
katello-default-ca-1.0-1.noarch
katello-installer-2.1.1-1.el6_6sat.noarch
katello-server-ca-1.0-1.noarch
pulp-katello-0.3-4.el6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2-2.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-1.4.1-2.el6_6sat.noarch
ruby193-rubygem-foreman_docker-0.2.0-2.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.5-2.el6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.10-3.el6_6sat.noarch
ruby193-rubygem-katello-2.1.0.6-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.3-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3-4.el6_6sat.noarch
rubygem-hammer_cli_katello-0.0.6-1.el6_6sat.noarch


How reproducible:
Always, both on RHEL 6.6 and RHEL 7.0

Steps to Reproduce:
1. Install RHEL 6.6 or 7.0
2. install katello
3. run katello-installer with selinux-enabled

Actual results:
install fails

Expected results:
install succeeds

Additional info:
error:
type=AVC msg=audit(1418243650.344:259): avc:  denied  { name_bind } for  pid=9565 comm="httpd" src=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
Comment 2 Lukas Zapletal 2014-12-12 11:18:41 EST
I don't get why httpd process would bind port 5000. Is this pulp related? I need to investigate and reproduce on Moday, was not able to find what the 5000 port is used for.
Comment 3 Jason Montleon 2014-12-12 11:25:00 EST
Looks like it is for crane.

https://github.com/Katello/katello-installer
/blob/91002035cf1f3efc4794e32cd966dfb3ea244cc1/modules/crane/manifests/params.pp
Comment 4 Lukas Zapletal 2014-12-12 11:32:35 EST
Jason,

I am introducing downstream.te.in in the downstream repo and making this workaround:

# Pulp crane support
ifdef(`distro_rhel6', `
    corenet_tcp_bind_commplex_port(passenger_t)
',`
    corenet_tcp_bind_commplex_main_port(passenger_t)

')

50add4b..e8e7419  SATELLITE-6.1.0 -> SATELLITE-6.1.0

I haven't scratchbuild this yet, maybe there is a typo. If you still have a box, can you give it a try? I need to setup my sat6 instances on Monday, not there yet.

The patch must go into pulp-selinux package upstream.
Comment 5 Lukas Zapletal 2014-12-12 11:36:57 EST
Oh I see its a katello installer configuration, then it must go into foreman-selinux package. We carry those. Will do that. http://projects.theforeman.org/issues/8683
Comment 6 Justin Sherrill 2014-12-12 12:47:11 EST
lzap, can we get this upstream as well in foreman-selinux?  (or create a katello-selinux if needed).

We can't make the tests upstream use selinux until that happens.
Comment 7 Jason Montleon 2014-12-12 15:49:02 EST
Do I misread it or will this only fix RHEL 6? It is an issue on RHEL 7 as well.
Comment 8 Justin Sherrill 2014-12-13 00:23:26 EST
Lukas:  Ah, just saw you statement "The patch must go into pulp-selinux package upstream."

I chatted with them and they do not provide an selinux policy on purpose for this for crane since its a 'deployment decision'.  We might could argue back if you feel it should be in pulp-selinux, but it seems as though the pulp team has no desire for it to be.
Comment 9 Lukas Zapletal 2014-12-15 10:45:46 EST
Yes, sorry for the confusion. It's on our side. See my comment 5.
Comment 10 Lukas Zapletal 2015-01-26 11:26:42 EST
Jason the upstream patch has moved, it's now in the newly created katello-selinux repository:

https://github.com/Katello/katello-selinux/pull/1

If you want to avoid the new package for 6.1, I can send all the patches into the downstream.te.in file. This is all about cleaning our upstream code.
Comment 14 Elyézer Rezende 2015-02-13 10:07:33 EST
Was also tested installation from ISO
Comment 15 Elyézer Rezende 2015-02-13 11:12:01 EST
Missed on last comment, this bug was verified on Satellite-6.1.0-RHEL-${OS_VERSION}-20150210.0.
Comment 16 Bryan Kearney 2015-08-11 09:27:03 EDT
This bug is slated to be released with Satellite 6.1.
Comment 17 errata-xmlrpc 2015-08-12 01:20:39 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Note You need to log in before you can comment on or make changes to this bug.