1177377 – Satellite 6.1 does not work with http proxy due to SELinux denials

Bug 1177377 - Satellite 6.1 does not work with http proxy due to SELinux denials

Summary: Satellite 6.1 does not work with http proxy due to SELinux denials

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.0.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Elyézer Rezende
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1191299 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-26 19:42 UTC by Dave Sullivan
Modified:	2023-09-14 02:52 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Satellite 6 SELinux policy prevents from connecting to unknown ports. Consequence: Since there are no SELinux booleans to add rules for communication through http(s) proxy, there is no way of configuring Satellite with such a proxy. Fix: Depending on the target http(s) proxy port (usually 3128 or 8181) assign the required port to the foreman_proxy_port_t SELinux port type. Depending on the port number it must be either added (-a) or modified (-m). semanage port -a -t foreman_proxy_port_t -p tcp 8181 semanage port -m -t foreman_proxy_port_t -p tcp 3128 No restart is needed, Satellite will be instantly allowed to do connections. Result: SELinux will allow communication on desired TCP ports.
Clone Of:
Environment:
Last Closed:	2015-08-12 05:21:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1444361	medium	CLOSED	Satellite 6.2 does not work with http proxy due to SELinux denials	2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution)	1537943	None	None	None	Never
Red Hat Product Errata	RHSA-2015:1592	normal	SHIPPED_LIVE	Important: Red Hat Satellite 6.1.1 on RHEL 6	2015-08-12 09:04:35 UTC

Internal Links: 1444361

Description Dave Sullivan 2014-12-26 19:42:55 UTC

Description of problem:

On the RPMs tab I expand Red Hat Enterprise Linux Server, that then lists a bunch of repository sets.

If I click the expand allow to the left of any of the repository sets it sits there for a while and then errors ... "Permission denied - connect(2)"

If I click for more info I see..

Actions::Katello::RepositorySet::ScanCdn

xception:

Errno::EACCES: Permission denied - connect(2)

/var/log/foreman/production.log

Processing by Katello::ProductsController#available_repositories as */*
  Parameters: {"content_id"=>"867", "_"=>"1419620712264", "id"=>"103"}
Permission denied - connect(2) (Errno::EACCES)
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `initialize'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `open'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `block in connect'
/opt/rh/ruby193/root/usr/share/ruby/timeout.rb:55:in `timeout'
/opt/rh/ruby193/root/usr/share/ruby/timeout.rb:100:in `timeout'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:763:in `connect'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:756:in `do_start'
/opt/rh/ruby193/root/usr/share/ruby/net/http.rb:745:in `start'
/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/resources/cdn.rb:80:in `get'
/opt/rh/ruby193/root/usr/share/gems/gems/katello-1.5.0/app/lib/katello/util/cdn_var_substitutor.rb:154:in `get_substitutions_from'

/var/log/audit/audit.log

type=AVC msg=audit(1419621937.157:5357): avc:  denied  { name_connect } for  pid=31266 comm="ruby" dest=8181 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1419621937.157:5357): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7fe6909007e0 a2=10 a3=3 items=0 ppid=1 pid=31266 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)


Version-Release number of selected component (if applicable):

Satellite 6.0.6 on RHEL7 


How reproducible:


see above

Actual results:

see logs noted above


Expected results:

proxy installation should provide the correct selinux configuration to allow repositories to be accessed 

katello-installer --katello-proxy-password="" --katello-proxy-username="" --katello-proxy-url="http://dell-per720-1.gsslab.rdu2.redhat.com" --katello-proxy-port="8181"


Additional info:

Workaround for this is to

semanage port -a -t foreman_proxy_port_t -p tcp 8181

http://projects.theforeman.org/projects/foreman/wiki/SELinux

Comment 1 RHEL Program Management 2014-12-26 19:54:01 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Lukas Zapletal 2015-01-02 13:54:03 UTC

I agree we should set this. Since Foreman does not need HTTP proxies and we don't provide any options, this is katello-installer task to set the SELinux appropriately. Resetting the component to the Installer. The goal is really only to allow HTTP proxy destination port in SELinux in Puppet. Not sure about the priority tho.

Comment 6 Lukas Zapletal 2015-02-16 09:25:29 UTC

Added doc text for Release Notes.

Comment 7 Lukas Zapletal 2015-02-16 09:28:13 UTC

*** Bug 1191299 has been marked as a duplicate of this bug. ***

Comment 8 Stuart Auchterlonie 2015-02-16 15:25:36 UTC

If you re-use a port which is already assigned in selinux policy (such as 8080)
then you need to "modify" rather than add the new port

# semanage port -m -t foreman_proxy_port_t -p tcp 8080

Comment 9 Lukas Zapletal 2015-02-17 13:22:15 UTC

Good point, reworded the doco text.

Comment 11 Elyézer Rezende 2015-04-06 18:38:35 UTC

Verified on: Satellite-6.1.0-RHEL-7-20150331.1

Steps to verify:

1. Installed Satellite pointing to an external squid proxy on port 3128.
2. Imported a manifest
3. Enabled "Red Hat Enterprise Virtualization Agents for RHEL 6 Server RPMs x86_64 6Server" Red Hat repository and synced it.
4. Watched audit.log for AVC and no AVC was emitted during the process:

# tail -f /var/log/audit/audit.log | grep AVC
^C
#

Comment 12 Bryan Kearney 2015-08-11 13:26:44 UTC

This bug is slated to be released with Satellite 6.1.

Comment 13 errata-xmlrpc 2015-08-12 05:21:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Comment 15 Red Hat Bugzilla 2023-09-14 02:52:42 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.