Bug 1317011 - connection to docker compute resource is refused with 'Permission denied - connect(2)'
connection to docker compute resource is refused with 'Permission denied - co...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
6.2.0
Unspecified Unspecified
unspecified Severity high (vote)
: Beta
: --
Assigned To: Lukas Zapletal
Lukas Pramuk
http://projects.theforeman.org/issues...
: Regression, Triaged
: 1319294 1321142 (view as bug list)
Depends On:
Blocks: GSS_Sat6Beta_Tracker/GSS_Sat6_Tracker
  Show dependency treegraph
 
Reported: 2016-03-11 12:10 EST by Lukas Pramuk
Modified: 2016-07-27 05:06 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 05:06:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 13502 None None None 2016-04-22 12:11 EDT
Red Hat Product Errata RHBA-2016:1500 normal SHIPPED_LIVE Red Hat Satellite 6.2 Base Libraries 2016-07-27 08:24:38 EDT

  None (edit)
Description Lukas Pramuk 2016-03-11 12:10:25 EST
Description of problem:
Test Connection to local docker compute resource unix:///var/run/docker.sock is refused with 'Permission denied - connect(2)'

Version-Release number of selected component (if applicable):
@Sat6.2.0-Beta-SNAP2

How reproducible:
100%

Steps to Reproduce:

1. prepare docker host on sat6 machine (install katello certs, add foreman to docker grp, set docker to run under docker grp, restart docker)

2. UI: navigate to Infrastructure > Compute resources > New compute resource

3. UI: on Compute resource tab set URL as 'unix:///var/run/docker.sock' and hit Test Connection and error message is displayed:
 "Permission denied - connect(2) for /var/run/docker.sock (Errno::EACCES)"


Actual results:
test connection fails with error

Expected results:
test connection is successful

Additional info:
In behind of refused connection there are SELinux denials

avc:  denied  { connectto } for  pid=72737 comm="diagnostic_con*" path="/run/docker.sock" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:docker_t:s0 tclass=unix_stream_socket

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:file { read getattr open };
Comment 3 Lukas Pramuk 2016-03-13 08:26:43 EDT
Test Connection to *remote* docker compute resource http://<DOCKER_HOST>:2375 is *also* refused with some more SELinux denials:

# audit2allow -a


#============= passenger_t ==============

#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow passenger_t docker_t:unix_stream_socket connectto;
allow passenger_t hwdata_t:dir search;
allow passenger_t hwdata_t:file { read getattr open };

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t unreserved_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, passenger_can_connect_all
allow passenger_t zarafa_port_t:tcp_socket name_connect;
Comment 4 Lukas Zapletal 2016-03-15 08:07:29 EDT
cat /etc/redhat-release

rpm -q docker-selinux
Comment 5 Lukas Zapletal 2016-03-15 08:11:31 EDT
Assuming this was broken by pulling out docker policy from RHEL base core policy to separate subpackage, you only need to install docker-selinux to get it all working. Please confirm and we will add RPM dependency.
Comment 6 Lukas Pramuk 2016-03-15 09:14:59 EDT
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

# rpm -q docker-selinux
docker-selinux-1.8.2-8.el7.x86_64
Comment 7 Lukas Pramuk 2016-03-15 16:18:35 EDT
# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_docker_tcp --> on
passenger_can_connect_docker_unix --> on
passenger_can_connect_http_proxy --> on
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_connect_smtp --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
<empty>

-------------------------------
With Satellite 6.1.7 @RHEL7.2 it works:

# getsebool -a |grep passenger
passenger_can_connect_all --> off
passenger_can_connect_ldap --> on
passenger_can_connect_libvirt --> on
passenger_can_connect_openstack --> on
passenger_can_spawn_ssh --> on
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376
Comment 8 Lukas Pramuk 2016-03-16 08:29:00 EDT
During Satellite installation there is related error:

...
  Installing : foreman-selinux-1.11.0-1.el7sat.noarch                   468/580
 
ValueError: Type docker_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.11.0-1.el7sat.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package foreman-selinux-1.11.0-1.el7sat.noarch

  Installing : katello-selinux-3.0.1.0-1. [                           ] 469/580
...
Comment 10 Brad Buckingham 2016-03-18 14:25:42 EDT
*** Bug 1319294 has been marked as a duplicate of this bug. ***
Comment 13 Lukas Pramuk 2016-03-24 04:14:33 EDT
FailedQA.

@Sat6.2.0-Beta-SNAP5
foreman-selinux-1.11.0-1.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64
Comment 19 Stephen Benjamin 2016-03-24 15:00:09 EDT
*** Bug 1321142 has been marked as a duplicate of this bug. ***
Comment 20 Lukas Pramuk 2016-03-31 08:19:00 EDT
VERIFIED.

@Sat6.2.0-Beta-Snap6
foreman-selinux-1.11.0.0-2.el7sat.noarch
docker-selinux-1.8.2-10.el7.x86_64

Connections to a local docker using both unix socket (unix:///var/run/docker.sock) and tcp (http://localhost:2375 or http://<hostname>:2375) succeeds.

Connection to a remote docker (http://<FQDN>:2375) is also successful.

Yay.
Comment 22 errata-xmlrpc 2016-07-27 05:06:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.