Bug #33798: Pulp 3 fails to sync under SELinux & http proxies - Packaging - Foreman

Actions

Copy link

Bug #33798

open

« Previous | 13 of 51 | Next »

Pulp 3 fails to sync under SELinux & http proxies

Added by Michael DePaulo over 2 years ago. Updated over 2 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

RPMs

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Foreman - 3.0.0

Red Hat JIRA:

Description

Pulp 3 cannot sync using http proxies when SELinux is enabled.

This cannot be worked around with labeling instructions (in the docs) because of the following:

Foreman/Katello/RHSM itself can access ("name_connect") the port label `http_cache_port_t`, but pulpcore-selinux <= 1.2.6 can not.
pulpcore-selinux (all versions) can access ("name_connect") the port label `pulpcore_port_t`, which is a an acceptable workaround, but sub-optimal (since pulpcore can also listen on it, "bind")
But a single port number cannot be labelled as both. So either Foreman/Katello/RHSM can use the port number, or Pulp 3 can under pulpcore-selinux <= 1.2.6.

```
$ semanage port -l | grep http_cache
http_cache_port_t tcp 10011, 10012, 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
$ semanage port -a -t pulpcore_port_t -p tcp 8080
ValueError: Port tcp/8080 already defined
```

I have the upstream proposed PR here. It makes Pulp 3 to recognize http_cache_port_t:
https://github.com/pulp/pulpcore-selinux/pull/41