Bug 2018263 - Using Satellite with a proxy produces an SELinux alert
Summary: Using Satellite with a proxy produces an SELinux alert
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Pulp
Version: 6.10.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: 6.11.0
Assignee: satellite6-bugs
QA Contact: Griffin Sullivan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-28 16:29 UTC by Mike DePaulo
Modified: 2022-07-05 14:30 UTC (History)
3 users (show)

Fixed In Version: pulpcore-selinux-1.2.7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2027354 (view as bug list)
Environment:
Last Closed: 2022-07-05 14:30:00 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:30:46 UTC

Description Mike DePaulo 2021-10-28 16:29:29 UTC
Description of problem:

SELinux prevents Satellite 6.10.0's Pulp (repo syncing) from using a web proxy:

type=AVC msg=audit(10/27/2021 16:18:13.719:1440) : avc:  denied  { name_connect } for  pid=24391 comm=pulpcore-worker dest=8080 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1

This occurs even when the proxy is running on a standard web proxy port (8080, 8118, 8123, 10001-10010)

We have workarounds that can be added to the docs, but there is no good reason why a user should have to do a workaround when the proxy is running on a standard web proxy port.


Workarounds for docs:

If the web proxy is running on a standard proxy port (8080, labelled http_cache_port_t):
$ semanage port -m -t http_port_t -p tcp 8080
(This means 8080 now has both labels on it)

If the web proxy is running on a non-standard proxy port that is undefined (10011):
$ semanage port -a -t http_port_t -p tcp 10011
(This means 10011 now has only 1 label on it)

If the web proxy is running on a non-standard proxy port that is defined for some other purpose (8082, labelled us_cli_port_t):
$ semanage port -m -t http_port_t -p tcp 8082
(This means 8082 now has both labels on it)


Version-Release number of selected component (if applicable):

satellite-6.10.0-0.9.beta.el7sat.noarch
pulpcore-selinux-1.2.6-1.el7pc.x86_64

Upstream fix under review:
https://github.com/pulp/pulpcore-selinux/pull/41

Comment 1 Tanya Tereshchenko 2021-10-31 10:16:41 UTC
Fixed in pulpcore-selinux 1.2.7

Comment 4 Mike DePaulo 2021-11-02 21:03:10 UTC
Re: Comment 2:

It is not a duplicate.

To clarify, this bug should be for when the web proxy is running on a standard web proxy port. That should work out of the box, via the code change implemented in pulpcore-selinux 1.2.7.

I will create a separate bug for a docs update for the scenario of a non-standard proxy port.

Comment 5 Mike DePaulo 2021-11-03 15:17:10 UTC
Foreman's upstream bug (to update pulpcore-selinux to 1.2.7):
https://projects.theforeman.org/issues/33798

Comment 6 Brad Buckingham 2021-11-04 14:14:57 UTC
Moving to POST since it is mentioned that a fix is available upstream.

Comment 11 errata-xmlrpc 2022-07-05 14:30:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5498


Note You need to log in before you can comment on or make changes to this bug.