Bug 1317011 - connection to docker compute resource is refused with 'Permission denied - connect(2)'
Summary: connection to docker compute resource is refused with 'Permission denied - co...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL: http://projects.theforeman.org/issues...
Whiteboard:
: 1319294 1321142 (view as bug list)
Depends On:
Blocks: GSS_Sat6Beta_Tracker, GSS_Sat6_Tracker
TreeView+ depends on / blocked
 
Reported: 2016-03-11 17:10 UTC by Lukas Pramuk
Modified: 2019-09-26 14:46 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 09:06:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 13502 'Normal' 'Closed' 'Build failure on RHEL 7.2 - docker moved to separate package' 2019-12-09 14:26:25 UTC
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 12:24:38 UTC

Description Lukas Pramuk 2016-03-11 17:10:25 UTC
Description of problem:
Test Connection to local docker compute resource unix:///var/run/docker.sock is refused with 'Permission denied - connect(2)'

Version-Release number of selected component (if applicable):
@Sat6.2.0-Beta-SNAP2

How reproducible:
100%

Steps to Reproduce:

1. prepare docker host on sat6 machine (install katello certs, add foreman to docker grp, set docker to run under docker grp, restart docker)

2. UI: navigate to Infrastructure > Compute resources > New compute resource

3. UI: on Compute resource tab set URL as 'unix:///var/run/docker.sock' and hit Test Connection and error message is displayed:
 "Permission denied - connect(2) for /var/run/docker.sock (Errno::EACCES)"


Actual results:
test connection fails with error

Expected results:
test connection is successful

Additional info:
In behind of refused connection there are SELinux denials

avc:  denied  { connectto } for  pid=72737 comm="diagnostic_con*" path="/run/docker.sock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:file { read getattr open };

Comment 3 Lukas Pramuk 2016-03-13 12:26:43 UTC
Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials:

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file { read getattr open };

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t unreserved_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t zarafa_port_t:tcp_socket name_connect;

Comment 4 Lukas Zapletal 2016-03-15 12:07:29 UTC
cat /etc/redhat-release

rpm -q docker-selinux

Comment 5 Lukas Zapletal 2016-03-15 12:11:31 UTC
Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency.

Comment 6 Lukas Pramuk 2016-03-15 13:14:59 UTC
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# rpm -q docker-selinux
docker-selinux-1.8.2-8.el7.x86_64

Comment 7 Lukas Pramuk 2016-03-15 20:18:35 UTC
# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_docker_tcp --> on
passenger_can_connect_docker_unix --> on
passenger_can_connect_http_proxy --> on
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_connect_smtp --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
<empty>

-------------------------------
With Satellite 6.1.7 @RHEL7.2 it works:

# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376

Comment 8 Lukas Pramuk 2016-03-16 12:29:00 UTC
During Satellite installation there is related error:

...
  Installing : foreman-selinux-1.11.0-1.el7sat.noarch                   468/580
 
ValueError: Type docker_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch

  Installing : katello-selinux-3.0.1.0-1. [                           ] 469/580
...

Comment 10 Brad Buckingham 2016-03-18 18:25:42 UTC
*** Bug 1319294 has been marked as a duplicate of this bug. ***

Comment 13 Lukas Pramuk 2016-03-24 08:14:33 UTC
FailedQA.

@Sat6.2.0-Beta-SNAP5
foreman-selinux-1.11.0-1.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64

Comment 19 Stephen Benjamin 2016-03-24 19:00:09 UTC
*** Bug 1321142 has been marked as a duplicate of this bug. ***

Comment 20 Lukas Pramuk 2016-03-31 12:19:00 UTC
VERIFIED.

@Sat6.2.0-Beta-Snap6
foreman-selinux-1.11.0.0-2.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64

Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds.

Connection to a remote docker (http://<FQDN>:2375) is also successful.

Yay.

Comment 22 errata-xmlrpc 2016-07-27 09:06:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500


Note You need to log in before you can comment on or make changes to this bug.