Project

General

Profile

Actions
Copy link

Bug #33798

closed

Pulp 3 fails to sync under SELinux & http proxies

Added by Michael DePaulo about 3 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
RPMs
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Foreman - 3.0.0
Red Hat JIRA:

Description

Pulp 3 cannot sync using http proxies when SELinux is enabled.

This cannot be worked around with labeling instructions (in the docs) because of the following:

  • Foreman/Katello/RHSM itself can access ("name_connect") the port label `http_cache_port_t`, but pulpcore-selinux <= 1.2.6 can not.
  • pulpcore-selinux (all versions) can access ("name_connect") the port label `pulpcore_port_t`, which is a an acceptable workaround, but sub-optimal (since pulpcore can also listen on it, "bind")
  • But a single port number cannot be labelled as both. So either Foreman/Katello/RHSM can use the port number, or Pulp 3 can under pulpcore-selinux <= 1.2.6.

```
$ semanage port -l | grep http_cache
http_cache_port_t tcp 10011, 10012, 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
$ semanage port -a -t pulpcore_port_t -p tcp 8080
ValueError: Port tcp/8080 already defined
```

I have the upstream proposed PR here. It makes Pulp 3 to recognize http_cache_port_t:
https://github.com/pulp/pulpcore-selinux/pull/41

Actions
Copy link
 #1

Updated by Michael DePaulo about 3 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Ewoud Kohl van Wijngaarden about 1 month ago

  • Status changed from New to Closed

We have shipped at least this since January 2022.

Actions
Copy link

Also available in: Atom PDF