Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1177377

Summary: Satellite 6.1 does not work with http proxy due to SELinux denials
Product: Red Hat Satellite Reporter: Dave Sullivan <dsulliva>
Component: InstallationAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Elyézer Rezende <erezende>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.6CC: bbuckingham, chrobert, cwelton, erezende, jswensso, kshirsal, lzap, m.ketchion, mmccune, sauchter, swadeley
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Satellite 6 SELinux policy prevents from connecting to unknown ports. Consequence: Since there are no SELinux booleans to add rules for communication through http(s) proxy, there is no way of configuring Satellite with such a proxy. Fix: Depending on the target http(s) proxy port (usually 3128 or 8181) assign the required port to the foreman_proxy_port_t SELinux port type. Depending on the port number it must be either added (-a) or modified (-m). semanage port -a -t foreman_proxy_port_t -p tcp 8181 semanage port -m -t foreman_proxy_port_t -p tcp 3128 No restart is needed, Satellite will be instantly allowed to do connections. Result: SELinux will allow communication on desired TCP ports.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:21:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Sullivan 2014-12-26 19:42:55 UTC 
Description of problem:

On the RPMs tab I expand Red Hat Enterprise Linux Server, that then lists a bunch of repository sets.

If I click the expand allow to the left of any of the repository sets it sits there for a while and then errors ... "Permission denied - connect(2)"

If I click for more info I see..

Actions::Katello::RepositorySet::ScanCdn

xception:

Errno::EACCES: Permission denied - connect(2)

/var/log/foreman/production.log

Processing by Katello::ProductsController#available_repositories as */*
  Parameters: {"content_id"=>"867", "_"=>"1419620712264", "id"=>"103"}
Permission denied - connect(2) (Errno::EACCES)
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `initialize'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `open'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `block in connect'
/opt/rh/ruby193/root/usr/share/ruby/timeout.rb:55:in `timeout'
/opt/rh/ruby193/root/usr/share/ruby/timeout.rb:100:in `timeout'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `connect'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:756:in `do_start'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:745:in `start'
/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/resources/cdn.rb:80:in `get'
/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/util/cdn_var_substitutor.rb:154:in `get_substitutions_from'

/var/log/audit/audit.log

type=AVC msg=audit(1419621937.157:5357): avc:  denied  { name_connect } for  pid=31266 comm="ruby" dest=8181 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1419621937.157:5357): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fe6909007e0 a2=10 a3=3 items=0 ppid=1 pid=31266 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)


Version-Release number of selected component (if applicable):

Satellite 6.0.6 on RHEL7 


How reproducible:


see above

Actual results:

see logs noted above


Expected results:

proxy installation should provide the correct selinux configuration to allow repositories to be accessed 

katello-installer --katello-proxy-password="" --katello-proxy-username="" --katello-proxy-url="http://dell-per720-1.gsslab.rdu2.redhat.com" --katello-proxy-port="8181"


Additional info:

Workaround for this is to

semanage port -a -t foreman_proxy_port_t -p tcp 8181

http://projects.theforeman.org/projects/foreman/wiki/SELinux
Comment 1 RHEL Program Management 2014-12-26 19:54:01 UTC 
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Lukas Zapletal 2015-01-02 13:54:03 UTC 
I agree we should set this. Since Foreman does not need HTTP proxies and we don't provide any options, this is katello-installer task to set the SELinux appropriately. Resetting the component to the Installer. The goal is really only to allow HTTP proxy destination port in SELinux in Puppet. Not sure about the priority tho.
Comment 6 Lukas Zapletal 2015-02-16 09:25:29 UTC 
Added doc text for Release Notes.
Comment 7 Lukas Zapletal 2015-02-16 09:28:13 UTC 
*** Bug 1191299 has been marked as a duplicate of this bug. ***
Comment 8 Stuart Auchterlonie 2015-02-16 15:25:36 UTC 
If you re-use a port which is already assigned in selinux policy (such as 8080)
then you need to "modify" rather than add the new port

# semanage port -m -t foreman_proxy_port_t -p tcp 8080
Comment 9 Lukas Zapletal 2015-02-17 13:22:15 UTC 
Good point, reworded the doco text.
Comment 11 Elyézer Rezende 2015-04-06 18:38:35 UTC 
Verified on: Satellite-6.1.0-RHEL-7-20150331.1

Steps to verify:

1. Installed Satellite pointing to an external squid proxy on port 3128.
2. Imported a manifest
3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it.
4. Watched audit.log for AVC and no AVC was emitted during the process:

# tail -f /var/log/audit/audit.log | grep AVC
^C
#
Comment 12 Bryan Kearney 2015-08-11 13:26:44 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 13 errata-xmlrpc 2015-08-12 05:21:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592
Comment 15 Red Hat Bugzilla 2023-09-14 02:52:42 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days