Bug 736788 - SELinux enabled causes sync through a proxy to fail
Summary: SELinux enabled causes sync through a proxy to fail
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Pulp
Classification: Retired
Component: user-experience
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Sprint 30
Assignee: John Matthews
QA Contact: Preethi Thomas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-08 17:34 UTC by John Matthews
Modified: 2013-09-09 16:28 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-24 20:13:54 UTC


Attachments (Terms of Use)

Description John Matthews 2011-09-08 17:34:55 UTC
Description of problem:

If SELinux is enabled, syncing through a proxy is disabled.

We probably need to open access to a standard proxy port 3128, and document if this is changed the selinux policy needs an update.

Comment 1 John Matthews 2011-11-01 19:55:39 UTC
I confirmed this is showing up in Fedora 15 

# rpm -qa | grep pulp
pulp-common-0.0.244-1.fc15.noarch
pulp-client-lib-0.0.244-1.fc15.noarch
pulp-admin-0.0.244-1.fc15.noarch
pulp-0.0.244-1.fc15.noarch

Behavior is to enable SELinux
Install Pulp
Setup up to use a proxy
Sync a repo

# sudo pulp-admin repo sync --id pulp_f15_x86_64 -F
Sync for repository pulp_f15_x86_64 started
Sync: Error

Item Details: 
error:  Exception: Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/grinder/activeobject.py", line 424, in process
    retval = method(*args, **kwargs)

  File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 94, in getDownloadItems
    self.__getRepoData()

  File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 167, in __getRepoData
    for ftype in self.__getRepoXmlFileTypes():

  File "/usr/lib/python2.7/site-packages/grinder/YumInfo.py", line 154, in __getRepoXmlFileTypes
    return self.repo.repoXML.fileTypes()

  File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1454, in <lambda>
    repoXML = property(fget=lambda self: self._getRepoXML(),

  File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 1450, in _getRepoXML
    raise Errors.RepoError, msg

RepoError: Cannot retrieve repository metadata (repomd.xml) for repository: . Please verify its path and try again


Now disable SELinux
[root@localhost ~]# sudo setenforce 0
[root@localhost ~]# sudo pulp-admin repo sync --id pulp_f15_x86_64 -F
Sync for repository pulp_f15_x86_64 started
Sync: Finished
18/18 new items downloaded
0/18 existing items processed

Item Details: 
RPMs: 18/18

Comment 2 John Matthews 2011-11-01 19:56:03 UTC
# sealert -l 4b5b4e30-83da-4e6e-be68-3141610b9407
SELinux is preventing /usr/bin/python from name_connect access on the tcp_socket port 3128.

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow httpd to act as a relay
Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.
Do
setsebool -P httpd_can_network_relay 1

*****  Plugin catchall_boolean (47.5 confidence) suggests  *******************

If you want to allow HTTPD scripts and modules to connect to the network using any TCP port.
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1

*****  Plugin catchall (6.38 confidence) suggests  ***************************

If you believe that python should be allowed name_connect access on the port 3128 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep python /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 3 John Matthews 2011-11-01 19:57:50 UTC
Setting "setsebool -P httpd_can_network_connect" fixed the problem.


# setsebool -P httpd_can_network_connect 1
[root@localhost ~]# ./sync_repo.sh 
Sync for repository pulp_f15_x86_64 started
Sync: Finished
18/18 new items downloaded
0/18 existing items processed

Item Details: 
RPMs: 18/18

Comment 4 John Matthews 2011-12-09 20:16:42 UTC
Using pulp RPMs built from master on 12/9/2011
0.0.254-1.git.5.39971e9.fc15.noarch

Changed /etc/pulp/pulp.conf
[yum]
proxy_url: http://IP_ADDRESS
proxy_port: 3128


Below is squid.log output from syncing a Pulp Fedora repo.
Access is going through Proxy as expected.



1323479608.565    313 10.210.67.63 TCP_MISS/200 3413 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/repomd.xml - DIRECT/85.236.55.7 text/xml
1323479608.859    289 10.210.67.63 TCP_MISS/200 11583 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/36074a6a66a90aa2f12826349b4aa3bde23657acb2b0f99938bf1ccf26f508b5-primary.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2
1323479609.168    305 10.210.67.63 TCP_MISS/200 12348 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/2659f11af5e6edc72c62a322fea83cbd99bf5cf8f8d131910b98e75d988a1e7e-filelists.xml.gz - DIRECT/85.236.55.7 application/x-gzip
1323479609.475    303 10.210.67.63 TCP_MISS/200 6875 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/24e3f2af0c255ba0119fab68738e2a8cae830abe3e8f2d97e382b32b621c3cf5-primary.xml.gz - DIRECT/85.236.55.7 application/x-gzip
1323479609.879    400 10.210.67.63 TCP_MISS/200 14125 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/015970537365ddc5debba717fef623f666a0ce5a94eeb8a23506124f54cc1026-other.xml.gz - DIRECT/85.236.55.7 application/x-gzip
1323479610.281    399 10.210.67.63 TCP_MISS/200 15979 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/3ecaf3545b3cdb03eaf23b9d2367d59c191634559dd027f8d4a4c5fb765a71d9-filelists.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2
1323479610.478    192 10.210.67.63 TCP_REFRESH_UNMODIFIED/200 11689 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/36074a6a66a90aa2f12826349b4aa3bde23657acb2b0f99938bf1ccf26f508b5-primary.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2
1323479610.886    390 10.210.67.63 TCP_MISS/200 17713 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/repodata/b131e9ad7be035840939c6a6f0efb474fa071bc03000a98be4076fdb3180e916-other.sqlite.bz2 - DIRECT/85.236.55.7 application/x-bzip2
1323479611.432    196 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html
1323479611.632    193 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html
1323479611.834    195 10.210.67.63 TCP_MISS/404 687 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//.treeinfo - DIRECT/85.236.55.7 text/html
1323479612.046    197 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html
1323479612.253    192 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html
1323479612.454    194 10.210.67.63 TCP_MISS/404 686 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64//treeinfo - DIRECT/85.236.55.7 text/html
1323479613.866    500 10.210.67.63 TCP_MISS/200 31700 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/gofer-package-0.63-1.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm
1323479613.901    614 10.210.67.63 TCP_MISS/200 67401 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/mod_wsgi-3.2-6.pulp.fc15.x86_64.rpm - DIRECT/85.236.55.7 application/x-rpm
1323479614.046    400 10.210.67.63 TCP_MISS/200 25292 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/python-oauth2-1.5.170-2.pulp.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm
1323479614.079    792 10.210.67.63 TCP_MISS/200 154165 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/mod_wsgi-debuginfo-3.2-6.pulp.fc15.x86_64.rpm - DIRECT/85.236.55.7 application/x-rpm
1323479614.378    706 10.210.67.63 TCP_MISS/200 116838 GET http://repos.fedorapeople.org/repos/pulp/pulp/testing/fedora-15/x86_64/pulp-selinux-server-0.0.254-4.fc15.noarch.rpm - DIRECT/85.236.55.7 application/x-rpm

Comment 5 Jeff Ortel 2011-12-15 20:18:13 UTC
build: 0.255

Comment 6 Preethi Thomas 2012-01-04 15:16:30 UTC
verified
[root@preethi ~]# rpm -q pulp
pulp-0.0.255-1.fc15.noarch

[root@preethi ~]# pulp-admin repo sync --id=centos1 -F
Sync for repository centos1 started
Sync: Finished
0/4768 new items downloaded
4768/4768 existing items processed

Item Details: 
Tree Files: 4/4
RPMs: 4764/4764

[root@preethi ~]# getenforce
Enforcing
[root@preethi ~]# cat /etc/pulp/pulp.conf |grep proxy
# Uncomment the below section with appropriate values for proxy configuration
proxy_url: http://auto-services.usersys.redhat.com
proxy_port: 3128
proxy_user: redhat
proxy_pass: redhat
[root@preethi ~]#

Comment 7 Preethi Thomas 2012-02-24 20:13:54 UTC
Pulp v1.0 is released
Closed Current Release.


Note You need to log in before you can comment on or make changes to this bug.