Description of problem: On the RPMs tab I expand Red Hat Enterprise Linux Server, that then lists a bunch of repository sets. If I click the expand allow to the left of any of the repository sets it sits there for a while and then errors ... "Permission denied - connect(2)" If I click for more info I see.. Actions::Katello::RepositorySet::ScanCdn xception: Errno::EACCES: Permission denied - connect(2) /var/log/foreman/production.log Processing by Katello::ProductsController#available_repositories as */* Parameters: {"content_id"=>"867", "_"=>"1419620712264", "id"=>"103"} Permission denied - connect(2) (Errno::EACCES) /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `initialize' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `open' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `block in connect' /opt/rh/ruby193/root/usr/share/ruby/timeout.rb:55:in `timeout' /opt/rh/ruby193/root/usr/share/ruby/timeout.rb:100:in `timeout' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `connect' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:756:in `do_start' /opt/rh/ruby193/root/usr/share/ruby/net/http.rb:745:in `start' /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/resources/cdn.rb:80:in `get' /opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/util/cdn_var_substitutor.rb:154:in `get_substitutions_from' /var/log/audit/audit.log type=AVC msg=audit(1419621937.157:5357): avc: denied { name_connect } for pid=31266 comm="ruby" dest=8181 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1419621937.157:5357): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fe6909007e0 a2=10 a3=3 items=0 ppid=1 pid=31266 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) Version-Release number of selected component (if applicable): Satellite 6.0.6 on RHEL7 How reproducible: see above Actual results: see logs noted above Expected results: proxy installation should provide the correct selinux configuration to allow repositories to be accessed katello-installer --katello-proxy-password="" --katello-proxy-username="" --katello-proxy-url="http://dell-per720-1.gsslab.rdu2.redhat.com" --katello-proxy-port="8181" Additional info: Workaround for this is to semanage port -a -t foreman_proxy_port_t -p tcp 8181 http://projects.theforeman.org/projects/foreman/wiki/SELinux
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
I agree we should set this. Since Foreman does not need HTTP proxies and we don't provide any options, this is katello-installer task to set the SELinux appropriately. Resetting the component to the Installer. The goal is really only to allow HTTP proxy destination port in SELinux in Puppet. Not sure about the priority tho.
Added doc text for Release Notes.
*** Bug 1191299 has been marked as a duplicate of this bug. ***
If you re-use a port which is already assigned in selinux policy (such as 8080) then you need to "modify" rather than add the new port # semanage port -m -t foreman_proxy_port_t -p tcp 8080
Good point, reworded the doco text.
Verified on: Satellite-6.1.0-RHEL-7-20150331.1 Steps to verify: 1. Installed Satellite pointing to an external squid proxy on port 3128. 2. Imported a manifest 3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it. 4. Watched audit.log for AVC and no AVC was emitted during the process: # tail -f /var/log/audit/audit.log | grep AVC ^C #
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days