1172842 – Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1172842 - Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled

Summary: Satellite 6.1.0 installer fails trying to start httpd if selinux is enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	Unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Elyézer Rezende
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-10 21:31 UTC by Jason Montleon
Modified:	2017-02-23 20:44 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 05:20:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
foreman-debug (289.40 KB, application/x-xz) 2014-12-10 21:31 UTC, Jason Montleon	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	8683	0	None	None	None	2016-04-22 14:54:54 UTC
Red Hat Product Errata	RHSA-2015:1592	0	normal	SHIPPED_LIVE	Important: Red Hat Satellite 6.1.1 on RHEL 6	2015-08-12 09:04:35 UTC

Description Jason Montleon 2014-12-10 21:31:37 UTC

Created attachment 966978 [details]
foreman-debug

Description of problem:
katello-installer fails if selinux is enabled because httpd can't bind to port 5000

Version-Release number of selected component (if applicable):
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-client-1.0-1.noarch
el6-smoketest.sat6.lab.eng.bos.redhat.com-foreman-proxy-1.0-1.noarch
foreman-1.7.0.0-1.2.el6_6sat.noarch
foreman-compute-1.7.0.0-1.2.el6_6sat.noarch
foreman-gce-1.7.0.0-1.2.el6_6sat.noarch
foreman-libvirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-ovirt-1.7.0.0-1.2.el6_6sat.noarch
foreman-postgresql-1.7.0.0-1.2.el6_6sat.noarch
foreman-proxy-1.7.0.1-1.el6_6sat.noarch
foreman-selinux-1.7.0.2-1.el6_6sat.noarch
foreman-vmware-1.7.0.0-1.2.el6_6sat.noarch
katello-2.1.0-1.el6_6sat.noarch
katello-certs-tools-2.1.0-1.el6_6sat.noarch
katello-default-ca-1.0-1.noarch
katello-installer-2.1.1-1.el6_6sat.noarch
katello-server-ca-1.0-1.noarch
pulp-katello-0.3-4.el6sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2-2.el6_6sat.noarch
ruby193-rubygem-foreman_discovery-1.4.1-2.el6_6sat.noarch
ruby193-rubygem-foreman_docker-0.2.0-2.el6_6sat.noarch
ruby193-rubygem-foreman_hooks-0.3.5-2.el6sat.noarch
ruby193-rubygem-foreman-tasks-0.6.10-3.el6_6sat.noarch
ruby193-rubygem-katello-2.1.0.6-1.el6_6sat.noarch
rubygem-hammer_cli_foreman-0.1.3-2.el6_6sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3-4.el6_6sat.noarch
rubygem-hammer_cli_katello-0.0.6-1.el6_6sat.noarch


How reproducible:
Always, both on RHEL 6.6 and RHEL 7.0

Steps to Reproduce:
1. Install RHEL 6.6 or 7.0
2. install katello
3. run katello-installer with selinux-enabled

Actual results:
install fails

Expected results:
install succeeds

Additional info:
error:
type=AVC msg=audit(1418243650.344:259): avc:  denied  { name_bind } for  pid=9565 comm="httpd" src=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket

Comment 2 Lukas Zapletal 2014-12-12 16:18:41 UTC

I don't get why httpd process would bind port 5000. Is this pulp related? I need to investigate and reproduce on Moday, was not able to find what the 5000 port is used for.

Comment 3 Jason Montleon 2014-12-12 16:25:00 UTC

Looks like it is for crane.

https://github.com/Katello/katello-installer
/blob/91002035cf1f3efc4794e32cd966dfb3ea244cc1/modules/crane/manifests/params.pp

Comment 4 Lukas Zapletal 2014-12-12 16:32:35 UTC

Jason,

I am introducing downstream.te.in in the downstream repo and making this workaround:

# Pulp crane support
ifdef(`distro_rhel6', `
    corenet_tcp_bind_commplex_port(passenger_t)
',`
    corenet_tcp_bind_commplex_main_port(passenger_t)

')

50add4b..e8e7419  SATELLITE-6.1.0 -> SATELLITE-6.1.0

I haven't scratchbuild this yet, maybe there is a typo. If you still have a box, can you give it a try? I need to setup my sat6 instances on Monday, not there yet.

The patch must go into pulp-selinux package upstream.

Comment 5 Lukas Zapletal 2014-12-12 16:36:57 UTC

Oh I see its a katello installer configuration, then it must go into foreman-selinux package. We carry those. Will do that. http://projects.theforeman.org/issues/8683

Comment 6 Justin Sherrill 2014-12-12 17:47:11 UTC

lzap, can we get this upstream as well in foreman-selinux?  (or create a katello-selinux if needed).

We can't make the tests upstream use selinux until that happens.

Comment 7 Jason Montleon 2014-12-12 20:49:02 UTC

Do I misread it or will this only fix RHEL 6? It is an issue on RHEL 7 as well.

Comment 8 Justin Sherrill 2014-12-13 05:23:26 UTC

Lukas:  Ah, just saw you statement "The patch must go into pulp-selinux package upstream."

I chatted with them and they do not provide an selinux policy on purpose for this for crane since its a 'deployment decision'.  We might could argue back if you feel it should be in pulp-selinux, but it seems as though the pulp team has no desire for it to be.

Comment 9 Lukas Zapletal 2014-12-15 15:45:46 UTC

Yes, sorry for the confusion. It's on our side. See my comment 5.

Comment 10 Lukas Zapletal 2015-01-26 16:26:42 UTC

Jason the upstream patch has moved, it's now in the newly created katello-selinux repository:

https://github.com/Katello/katello-selinux/pull/1

If you want to avoid the new package for 6.1, I can send all the patches into the downstream.te.in file. This is all about cleaning our upstream code.

Comment 14 Elyézer Rezende 2015-02-13 15:07:33 UTC

Was also tested installation from ISO

Comment 15 Elyézer Rezende 2015-02-13 16:12:01 UTC

Missed on last comment, this bug was verified on Satellite-6.1.0-RHEL-${OS_VERSION}-20150210.0.

Comment 16 Bryan Kearney 2015-08-11 13:27:03 UTC

This bug is slated to be released with Satellite 6.1.

Comment 17 errata-xmlrpc 2015-08-12 05:20:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Note You need to log in before you can comment on or make changes to this bug.