Description of problem: SELinux prevents Satellite 6.10.0's Pulp (repo syncing) from using a web proxy: type=AVC msg=audit(10/27/2021 16:18:13.719:1440) : avc: denied { name_connect } for pid=24391 comm=pulpcore-worker dest=8080 scontext=system_u:system_r:pulpcore_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket permissive=1 This occurs even when the proxy is running on a standard web proxy port (8080, 8118, 8123, 10001-10010) We have workarounds that can be added to the docs, but there is no good reason why a user should have to do a workaround when the proxy is running on a standard web proxy port. Workarounds for docs: If the web proxy is running on a standard proxy port (8080, labelled http_cache_port_t): $ semanage port -m -t http_port_t -p tcp 8080 (This means 8080 now has both labels on it) If the web proxy is running on a non-standard proxy port that is undefined (10011): $ semanage port -a -t http_port_t -p tcp 10011 (This means 10011 now has only 1 label on it) If the web proxy is running on a non-standard proxy port that is defined for some other purpose (8082, labelled us_cli_port_t): $ semanage port -m -t http_port_t -p tcp 8082 (This means 8082 now has both labels on it) Version-Release number of selected component (if applicable): satellite-6.10.0-0.9.beta.el7sat.noarch pulpcore-selinux-1.2.6-1.el7pc.x86_64 Upstream fix under review: https://github.com/pulp/pulpcore-selinux/pull/41
Fixed in pulpcore-selinux 1.2.7
Re: Comment 2: It is not a duplicate. To clarify, this bug should be for when the web proxy is running on a standard web proxy port. That should work out of the box, via the code change implemented in pulpcore-selinux 1.2.7. I will create a separate bug for a docs update for the scenario of a non-standard proxy port.
Foreman's upstream bug (to update pulpcore-selinux to 1.2.7): https://projects.theforeman.org/issues/33798
Moving to POST since it is mentioned that a fix is available upstream.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.11 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5498