Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1202994 - SELinux prevents from remote SMTP delivery
SELinux prevents from remote SMTP delivery
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Usability (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity high (vote)
: Beta
: Unused
Assigned To: Lukas Zapletal
Og Maciel
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-17 16:51 EDT by Og Maciel
Modified: 2017-02-23 15:17 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-12 01:30:19 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Mail Preference (70.72 KB, image/png)
2015-03-17 16:51 EDT, Og Maciel
no flags Details
foreman-debug (358.58 KB, application/octet-stream)
2015-03-18 10:53 EDT, Og Maciel
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 9825 None None None 2016-04-22 11:08 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Og Maciel 2015-03-17 16:51:02 EDT
Created attachment 1002957 [details]
Mail Preference

Description of problem:

I noticed that whenever I attempt to publish or promote a content view (composite or non-composite, with yUM or Docker based repos), there is a failed attempt to send an email notification:

==> /var/log/foreman/production.log <==
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/_host_dashboard.html.erb (0.6ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.html.erb (2.8ms)
2015-03-17 15:10:11 [I]   Rendered /opt/rh/ruby193/root/usr/share/gems/gems/katello-2.2.0.21/app/views/katello/errata_mailer/promote_errata.text.erb (1.4ms)
2015-03-17 15:10:11 [I]
Sent mail to omaciel@<EDITED> (12ms)
2015-03-17 15:10:11 [W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

My system is configured to use an smtp server (I will share my configuration in a second), with iptables running and selinux in enforcing mode.


Version-Release number of selected component (if applicable):

* Satellite-6.1.0-RHEL-7-20150311.1

How reproducible:


Steps to Reproduce:
1. Update your Admin user account with a valid email address 
2. Configure your Mail Preferences as per the attached screenshot)
3. Create a custom product and YUM-based repo and sync it
4. Create a content view (non-composite) and add the repo from above
5. Publish this content view while watching /var/log/foreman/production.log

Actual results:

[W] Failed to send email notification satellite_promote_errata: Permission denied - connect(2)

Expected results:


Additional info:
Comment 5 Og Maciel 2015-03-18 10:53:12 EDT
Created attachment 1003278 [details]
foreman-debug

Attaching foreman-debug log.
Comment 6 Og Maciel 2015-03-18 11:34:29 EDT
==> /var/log/audit/audit.log <==
type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1426692731.477:3064): arch=c000003e syscall=42 success=no exit=-13 a0=16 a1=7faa0d2c1cf0 a2=10 a3=3 items=0 ppid=1 pid=14334 auid=4294967295 uid=995 gid=994 euid=995 suid=995 fsuid=995 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
Comment 7 Stephen Benjamin 2015-03-18 11:35:11 EDT
It's selinux, passenger needs ability to talk to 25

type=AVC msg=audit(1426692731.477:3064): avc:  denied  { name_connect } for  pid=14334 comm="ruby" dest=25 scontext=system_u:system_r:passenger_t:s0 
tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
Comment 8 Lukas Zapletal 2015-03-18 12:23:22 EDT
Interesting, we should have it in our policy already.

Workaround is to allow this port or permissive.
Comment 10 Lukas Zapletal 2015-03-19 06:18:53 EDT
I think we only allow local send, if satellite6 was configured with a remote MTA via SMTP protocol, that will likely gets blocked.

https://gitlab.sat.lab.tlv.redhat.com/satellite6/foreman-selinux/blob/SATELLITE-6.1.0/foreman.te#L269
Comment 14 Mike McCune 2015-03-20 17:46:03 EDT
moving back to MODIFIED as we had to roll this back for :

https://bugzilla.redhat.com/show_bug.cgi?id=1204301
Comment 15 Lukas Zapletal 2015-03-23 07:38:33 EDT
Please apply the same patch, this one did not caused the getattr issue.
Comment 17 sthirugn@redhat.com 2015-03-25 16:44:58 EDT
This same error happens when the Puppet error state notification email is triggered.

Note to QE: 
Check notification emails for 
1. Publish
2. promote
3. Puppet error state
Comment 18 Og Maciel 2015-03-25 18:39:56 EDT
Installed S8C1 and so far:

* Sync of RH repos sent me a notify email (SATELLITE SYNC SUMMARY)
Comment 19 Og Maciel 2015-03-25 20:43:30 EDT
* Publishing Content View sent me a notify email (SATELLITE PROMOTION SUMMARY)
Comment 20 Og Maciel 2015-03-25 20:49:51 EDT
* Promoting Content View sent me a notify email (SATELLITE PROMOTION SUMMARY, same as Publishing it)
Comment 21 Og Maciel 2015-03-26 08:25:41 EDT
* Today I received a Puppet Summary Report email
Comment 22 Og Maciel 2015-03-26 08:26:33 EDT
* Received a SATELLITE HOST ADVISORY email
Comment 23 Og Maciel 2015-03-26 17:50:41 EDT
Verified by QE on Satellite-6.1.0-RHEL-7-20150324.0 build.
Comment 24 Bryan Kearney 2015-08-11 09:22:52 EDT
This bug is slated to be released with Satellite 6.1.
Comment 25 errata-xmlrpc 2015-08-12 01:30:19 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Note You need to log in before you can comment on or make changes to this bug.