Bug 1202994 - SELinux prevents from remote SMTP delivery
Summary: SELinux prevents from remote SMTP delivery
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Usability
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Og Maciel
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-17 20:51 UTC by Og Maciel
Modified: 2019-04-01 20:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 05:30:19 UTC
Target Upstream Version:


Attachments (Terms of Use)
Mail Preference (70.72 KB, image/png)
2015-03-17 20:51 UTC, Og Maciel
no flags Details
foreman-debug (358.58 KB, application/octet-stream)
2015-03-18 14:53 UTC, Og Maciel
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 9825 0 None None None 2016-04-22 15:08:18 UTC
Red Hat Product Errata RHSA-2015:1592 0 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 09:04:35 UTC

Description Og Maciel 2015-03-17 20:51:02 UTC
Created attachment 1002957 [details]
Mail Preference

Description of problem:

I noticed that whenever I attempt to publish or promote a content view (composite or non-composite, with yUM or Docker based repos), there is a failed attempt to send an email notification:

==> /var/log/foreman/production.log <==
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/_host_dashboard.html.erb (0.6ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.html.erb (2.8ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.text.erb (1.4ms)
2015-03-17 15:10:11 [I]
Sent mail to omaciel@<EDITED> (12ms)
2015-03-17 15:10:11 [W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

My system is configured to use an smtp server (I will share my configuration in a second), with iptables running and selinux in enforcing mode.


Version-Release number of selected component (if applicable):

* Satellite-6.1.0-RHEL-7-20150311.1

How reproducible:


Steps to Reproduce:
1. Update your Admin user account with a valid email address 
2. Configure your Mail Preferences as per the attached screenshot)
3. Create a custom product and YUM-based repo and sync it
4. Create a content view (non-composite) and add the repo from above
5. Publish this content view while watching /var/log/foreman/production.log

Actual results:

[W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

Expected results:


Additional info:

Comment 5 Og Maciel 2015-03-18 14:53:12 UTC
Created attachment 1003278 [details]
foreman-debug

Attaching foreman-debug log.

Comment 6 Og Maciel 2015-03-18 15:34:29 UTC
==> /var/log/audit/audit.log <==
type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1426692731.477:3064): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7faa0d2c1cf0 a2=10 a3=3 items=0 ppid=1 pid=14334 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)

Comment 7 Stephen Benjamin 2015-03-18 15:35:11 UTC
It's selinux, passenger needs ability to talk to 25

type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket

Comment 8 Lukas Zapletal 2015-03-18 16:23:22 UTC
Interesting, we should have it in our policy already.

Workaround is to allow this port or permissive.

Comment 10 Lukas Zapletal 2015-03-19 10:18:53 UTC
I think we only allow local send, if satellite6 was configured with a remote MTA via SMTP protocol, that will likely gets blocked.

https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/blob/SATELLITE-6.1.0/foreman.te#L269

Comment 14 Mike McCune 2015-03-20 21:46:03 UTC
moving back to MODIFIED as we had to roll this back for :

https://bugzilla.redhat.com/show_bug.cgi?id=1204301

Comment 15 Lukas Zapletal 2015-03-23 11:38:33 UTC
Please apply the same patch, this one did not caused the getattr issue.

Comment 17 sthirugn@redhat.com 2015-03-25 20:44:58 UTC
This same error happens when the Puppet error state notification email is triggered.

Note to QE: 
Check notification emails for 
1. Publish
2. promote
3. Puppet error state

Comment 18 Og Maciel 2015-03-25 22:39:56 UTC
Installed S8C1 and so far:

* Sync of RH repos sent me a notify email (SATELLITE SYNC SUMMARY)

Comment 19 Og Maciel 2015-03-26 00:43:30 UTC
* Publishing Content View sent me a notify email (SATELLITE PROMOTION SUMMARY)

Comment 20 Og Maciel 2015-03-26 00:49:51 UTC
* Promoting Content View sent me a notify email (SATELLITE PROMOTION SUMMARY, same as Publishing it)

Comment 21 Og Maciel 2015-03-26 12:25:41 UTC
* Today I received a Puppet Summary Report email

Comment 22 Og Maciel 2015-03-26 12:26:33 UTC
* Received a SATELLITE HOST ADVISORY email

Comment 23 Og Maciel 2015-03-26 21:50:41 UTC
Verified by QE on Satellite-6.1.0-RHEL-7-20150324.0 build.

Comment 24 Bryan Kearney 2015-08-11 13:22:52 UTC
This bug is slated to be released with Satellite 6.1.

Comment 25 errata-xmlrpc 2015-08-12 05:30:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592


Note You need to log in before you can comment on or make changes to this bug.