Red Hat Bugzilla – Bug 1202994
SELinux prevents from remote SMTP delivery
Last modified: 2017-02-23 15:17:22 EST
Created attachment 1002957 [details] Mail Preference Description of problem: I noticed that whenever I attempt to publish or promote a content view (composite or non-composite, with yUM or Docker based repos), there is a failed attempt to send an email notification: ==> /var/log/foreman/production.log <== 2015-03-17 15:10:11 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/_host_dashboard.html.erb (0.6ms) 2015-03-17 15:10:11 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.html.erb (2.8ms) 2015-03-17 15:10:11 [I] Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.text.erb (1.4ms) 2015-03-17 15:10:11 [I] Sent mail to omaciel@<EDITED> (12ms) 2015-03-17 15:10:11 [W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2) My system is configured to use an smtp server (I will share my configuration in a second), with iptables running and selinux in enforcing mode. Version-Release number of selected component (if applicable): * Satellite-6.1.0-RHEL-7-20150311.1 How reproducible: Steps to Reproduce: 1. Update your Admin user account with a valid email address 2. Configure your Mail Preferences as per the attached screenshot) 3. Create a custom product and YUM-based repo and sync it 4. Create a content view (non-composite) and add the repo from above 5. Publish this content view while watching /var/log/foreman/production.log Actual results: [W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2) Expected results: Additional info:
Created attachment 1003278 [details] foreman-debug Attaching foreman-debug log.
==> /var/log/audit/audit.log <== type=AVC msg=audit(1426692731.477:3064): avc: denied { name_connect } for pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1426692731.477:3064): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7faa0d2c1cf0 a2=10 a3=3 items=0 ppid=1 pid=14334 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
It's selinux, passenger needs ability to talk to 25 type=AVC msg=audit(1426692731.477:3064): avc: denied { name_connect } for pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Interesting, we should have it in our policy already. Workaround is to allow this port or permissive.
I think we only allow local send, if satellite6 was configured with a remote MTA via SMTP protocol, that will likely gets blocked. https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/blob/SATELLITE-6.1.0/foreman.te#L269
moving back to MODIFIED as we had to roll this back for : https://bugzilla.redhat.com/show_bug.cgi?id=1204301
Please apply the same patch, this one did not caused the getattr issue.
This same error happens when the Puppet error state notification email is triggered. Note to QE: Check notification emails for 1. Publish 2. promote 3. Puppet error state
Installed S8C1 and so far: * Sync of RH repos sent me a notify email (SATELLITE SYNC SUMMARY)
* Publishing Content View sent me a notify email (SATELLITE PROMOTION SUMMARY)
* Promoting Content View sent me a notify email (SATELLITE PROMOTION SUMMARY, same as Publishing it)
* Today I received a Puppet Summary Report email
* Received a SATELLITE HOST ADVISORY email
Verified by QE on Satellite-6.1.0-RHEL-7-20150324.0 build.
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592