Bug 795600
| Summary: | Cannot connect to https://SYS_ENG_NAME/katello because of SELinux errors | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Forrest Taylor <ftaylor> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.0.0 | CC: | jrist, omaciel |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-22 20:54:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
4527935d2367c70d9e8bfac2e6384ae79fdae584 http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=4527935d2367c70d9e8bfac2e6384ae79fdae584 This appears to be related to bug#795602. Using the 2012-02-22.1 code drop. I install katello-all in %packages of my kickstart. I see these errors in the install.log: Installing pulp-selinux-server-0.0.267-2.el6.noarch Cannot set persistent booleans without managed policy. Could not change policy booleans Cannot set persistent booleans without managed policy. Could not change policy booleans /var/tmp/rpm-tmp.6dFUtS: line 9: /usr/sbin/semanage: No such file or directory /var/tmp/rpm-tmp.6dFUtS: line 10: /usr/sbin/semanage: No such file or directory warning: %post(pulp-selinux-server-0.0.267-2.el6.noarch) scriptlet failed, exit status 127 Installing katello-selinux-0.1.7-1.el6.noarch No such file or directory Cannot set persistent booleans without managed policy. Could not change policy booleans warning: %post(katello-selinux-0.1.7-1.el6.noarch) scriptlet failed, exit status 255 This may actually work just fine without the httpd_can_network_connect boolean, once the policy package is loaded. Yes this is a pulp bug that will be rolled out soon. It works because Katello is also setting this boolean properly. Just tested 2012-03-01.1 code drop. katello-all-0.1.301-2.el6.noarch pulp-selinux-server-1.0.0-4.el6.noarch katello-selinux-0.1.8-1.el6.noarch pulp-1.0.0-4.el6.noarch I still get the same issues installing katello-selinux and pulp-selinux-server in kickstart. Update from beta5 2012-03-16.1 Installation still has errors installing packages: # grep -v -B1 '^[I]' /root/install.log Installing libgcc-4.4.6-3.el6.x86_64 warning: libgcc-4.4.6-3.el6.x86_64: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY -- Installing lucene3-3.4.0-2.el6.noarch warning: lucene3-0:3.4.0-2.el6.noarch: Header V3 RSA/SHA256 Signature, key ID f21541eb: NOKEY -- Installing glassfish-jaf-1.1.0-9.el6.noarch /var/tmp/rpm-tmp.lAhplk: line 4: cat: command not found -- Installing pulp-selinux-server-1.0.0-4.el6.noarch Cannot set persistent booleans without managed policy. Could not change policy booleans Cannot set persistent booleans without managed policy. Could not change policy booleans /var/tmp/rpm-tmp.A2uSXY: line 9: /usr/sbin/semanage: No such file or directory /var/tmp/rpm-tmp.A2uSXY: line 10: /usr/sbin/semanage: No such file or directory warning: %post(pulp-selinux-server-1.0.0-4.el6.noarch) scriptlet failed, exit status 127 -- Installing katello-selinux-0.1.8-1.el6.noarch /usr/sbin/semanage: SELinux policy is not managed or store cannot be accessed. No such file or directory Cannot set persistent booleans without managed policy. Could not change policy booleans warning: %post(katello-selinux-0.1.8-1.el6.noarch) scriptlet failed, exit status 255 -- Installing rootfiles-8.1-6.1.el6.noarch *** FINISHED INSTALLING PACKAGES *** The modules are not loaded: # semodule -l | egrep '(katello|pulp)' <no output> Errors running katello-configure in %post: + katello-configure Starting Katello configuration The top-level log file is [/var/log/katello/katello-configure-20120321-175239/main.log] err: /Stage[main]/Postgres::Service/Service[postgresql]: Failed to call refresh: Could not restart Service[postgresql]: Execution of '/sbin/service postgresql restart' returned 1: at /usr/share/katello/install/puppet/modules/postgres/manifests/service.pp:6 err: /Stage[main]/Qpid::Install/Package[qpid-cpp-client-ssl]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install qpid-cpp-client-ssl' returned 1: Error: Nothing to do err: /Stage[main]/Qpid::Install/Package[qpid-cpp-server-ssl]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install qpid-cpp-server-ssl' returned 1: Error: Nothing to do Creating Katello database user ############################################################ ... OK Creating Katello database ############################################################ ... OK Creating Candlepin database user ############################################################ ... OK Creating Candlepin database ############################################################ ... OK Candlepin setup ############################################################ ... OK These look to be an error restarting postgresql and two errors installing packages (that are already installed). Trying to connect to katello gives a 503 Service Temporarily Unavailable error. It appears that the original issue is fixed, opened bug#806028 to track the postgres sysinit script problem. Verified. |
Description of problem: After running katello-configure, I try to connect to the System Engine and I get a 503 Service Temporarily Unavailable error. The logs show that SELinux is not allowing name_connect to ports 5000, 5001 and 5002: type=AVC msg=audit(1329786949.065:91817): avc: denied { name_connect } for pid=2099 comm="httpd" dest=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1329786949.068:91818): avc: denied { name_connect } for pid=2099 comm="httpd" dest=5001 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1329786949.069:91819): avc: denied { name_connect } for pid=2099 comm="httpd" dest=5002 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Enabling the httpd_can_network_connect boolean allows this connection: ~]# setsebool -P httpd_can_network_connect on Version-Release number of selected component (if applicable): katello-all-0.1.238-4.el6.noarch katello-configure-0.1.64-5.el6.noarch How reproducible: Always