Bug 1450436 - Satellite installation fails on rhel7.4 beta -- Candlepin can't connect to pgsql
Summary: Satellite installation fails on rhel7.4 beta -- Candlepin can't connect to pgsql
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Candlepin
Version: 6.2.9
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: Kevin Howell
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On: 1451024
Blocks: CEE_Sat6_Top_BZs, GSS_Sat6_Top_Bugs 1451020 1470724
TreeView+ depends on / blocked
 
Reported: 2017-05-12 14:14 UTC by Peter Ondrejka
Modified: 2023-09-15 00:02 UTC (History)
25 users (show)

Fixed In Version: candlepin-0.9.54.23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1451020 1451024 1451035 1470724 (view as bug list)
Environment:
Last Closed: 2017-08-03 18:27:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1432083 0 unspecified CLOSED tomcat_t domain is in unconfined_domain 2021-08-30 13:17:56 UTC
Red Hat Knowledge Base (Solution) 3136351 0 None None None 2017-08-02 14:59:44 UTC
Red Hat Knowledge Base (Solution) 3138621 0 None None None 2017-08-03 14:04:58 UTC
Red Hat Product Errata RHBA-2017:2421 0 normal SHIPPED_LIVE Satellite RHEL 7.4 Async Release 2017-08-03 22:27:00 UTC

Internal Links: 1432083

Comment 1 Lukas Pramuk 2017-05-15 08:56:49 UTC 
I switched to "Permissive" and run installation to produce all AVCs:

#============= tomcat_t ==============
allow tomcat_t amqp_port_t:tcp_socket name_connect;
allow tomcat_t candlepin_etc_certs_rw_t:dir { getattr open read search };
allow tomcat_t candlepin_etc_certs_rw_t:file { getattr open read };
allow tomcat_t candlepin_etc_rw_t:file { getattr open read };

allow tomcat_t postgresql_port_t:tcp_socket name_connect;
allow tomcat_t sysctl_net_t:file { getattr open read };


Tomcat SELinux policy has changed and requires us to add some new rules (rule #1 to #4)

The last two rules should be fixed in RHEL7.4 and not in candlepin-selinux
BZ #1450819
Comment 2 Lukas Pramuk 2017-05-15 09:31:40 UTC 
To be precise pasting the AVCs:

avc:  denied  { read } for  pid=13920 comm="java" name="candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file
avc:  denied  { open } for  pid=13920 comm="java" path="/etc/candlepin/candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file
avc:  denied  { getattr } for  pid=13920 comm="java" path="/etc/candlepin/candlepin.conf" dev="dm-0" ino=645937689 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_rw_t:s0 tclass=file
avc:  denied  { getattr } for  pid=13920 comm="java" path="/etc/candlepin/certs/upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir
avc:  denied  { read } for  pid=13920 comm="java" name="upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir
avc:  denied  { open } for  pid=13920 comm="java" path="/etc/candlepin/certs/upstream" dev="dm-0" ino=671090747 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=dir
avc:  denied  { read } for  pid=13920 comm="java" name="candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
avc:  denied  { open } for  pid=13920 comm="java" path="/etc/candlepin/certs/upstream/candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
avc:  denied  { getattr } for  pid=13920 comm="java" path="/etc/candlepin/certs/upstream/candlepin-redhat-ca.crt" dev="dm-0" ino=671090748 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
avc:  denied  { getattr } for  pid=13920 comm="java" path="/etc/candlepin/certs/amqp/candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
avc:  denied  { read } for  pid=13920 comm="java" name="candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
avc:  denied  { open } for  pid=13920 comm="java" path="/etc/candlepin/certs/amqp/candlepin.truststore" dev="dm-0" ino=662704171 scontext=system_u:system_r:tomcat_t:s0 tcontext=unconfined_u:object_r:candlepin_etc_certs_rw_t:s0 tclass=file
Comment 17 Michael Stead 2017-05-29 13:23:55 UTC 
Fix available in candlepin-0.9.54.23-1
Comment 25 errata-xmlrpc 2017-08-03 18:27:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2421
Comment 26 Red Hat Bugzilla 2023-09-15 00:02:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.