Bug #33798
Updated by Michael DePaulo almost 3 years ago
Pulp 3 cannot sync using http proxies when SELinux is enabled. This cannot be worked around with labeling instructions (in the docs) because of the following: * Foreman/Katello/RHSM itself can access ("name_connect") recocgnize the port label `http_cache_port_t`, but pulpcore-selinux <= 1.2.6 can and earlier do not. * pulpcore-selinux (all versions) can access ("name_connect") the port label < 1.2.6 recognizes `pulpcore_port_t`, which is a an acceptable workaround, but sub-optimal workaround (since pulpcore we can also listen on it, "bind") bind to it.) * But a single the same port number cannot be labelled as both. So either Foreman/Katello/RHSM can use the port number, or Pulp 3 can under pulpcore-selinux <= 1.2.6. ``` $ semanage port -l | grep http_cache http_cache_port_t tcp 10011, 10012, 8080, 8118, 8123, 10001-10010 http_cache_port_t udp 3130 $ semanage port -a -t pulpcore_port_t -p tcp 8080 ValueError: Port tcp/8080 already defined ``` I have the upstream proposed PR here. It makes Pulp 3 to recognize http_cache_port_t: https://github.com/pulp/pulpcore-selinux/pull/41