Project

Profile

Help

Issue #2719

Story #1166: As a user, I can install a crane-selinux rpm

Need to choose a port, and ship SELinux policy for network connections

Added by Ichimonji10 over 3 years ago. Updated over 1 year ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version - Crane:
Platform Release:
Target Release - Crane:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The Crane documentation weakly suggests that port 5,000 be used for its configuration. Additionally, the Crane RPM package does not (AFAICT) install an SELinux policy that makes some port available for use. Can we more strongly suggest which port should be used and make the Crane RPM package install an SELinux policy making that network port available for use?

There's at least two good options for which port to use. One is to use 5,000, because we already weakly suggest that users use this port, and because the Docker documentation weakly suggests that port 5,000 be used for private registries. Another option is to use the official ports assigned to Docker. From /etc/services:

docker          2375/tcp                # Docker REST API (plain text)
docker-s        2376/tcp                # Docker REST API (ssl)

Given that Crane implements a sub-set of the Docker API, why not use the ports set aside for the Docker API?

Here's what happens when the following configuration file is installed in /etc/httpd/conf.d/pulp_crane.conf:

# Place this config in /etc/httpd/conf.d/. Use with Apache 2.4+. See:
#
# * https://docs.pulpproject.org/plugins/crane/index.html
# * https://modwsgi.readthedocs.io/en/develop/user-guides/quick-configuration-guide.html
#
# Note the following entries in /etc/services:
#
#     docker           2375/tcp
#     docker-s         2376/tcp
#
# At the same time, the Docker documentation weakly suggests using port 5000/tcp
# for a private registry.
#
Listen 2375
<VirtualHost *:2375>
    WSGIScriptAlias / /usr/share/crane/crane.wsgi
    <Location /crane>
        Require host localhost
    </Location>
    <Directory /usr/share/crane/>
        Require all granted
    </Directory>
</VirtualHost>

When systemctl start httpd is executed on Fedora 24, the following is logged:

[root@fedora-24-pulp-2-12 ~]# journalctl -u httpd | tail
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Starting The Apache HTTP Server...
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.100.131. Set the 'ServerName' directive globally to suppress this message
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: no listening sockets available, shutting down
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00015: Unable to open logs
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Failed to start The Apache HTTP Server.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Unit entered failed state.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Failed with result 'exit-code'.

Here's some debugging output:

[root@fedora-24-pulp-2-12 ~]# audit2allow -al

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
allow httpd_t commplex_main_port_t:tcp_socket name_bind;
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-24-pulp-2-12 ~]# cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1492453129.831:473): pid=691 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0
:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1492453129.841:474): policy loaded auid=0 ses=3
type=USER_AVC msg=audit(1492453134.644:475): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  re
ceived setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1492453134.644:476): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  re
ceived policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1492453134.689:477): avc:  denied  { name_bind } for  pid=1867 comm="httpd" src=5000 scontext=system_u:system_r:htt
pd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_START msg=audit(1492453134.743:478): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='uni
t=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.054:479): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1081 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.055:480): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=session fp=? direction=both spid=1081 suid=0 rport=55880 laddr=192.168.100.131 lport=22  exe="/usr/sbin/sshd" hostname=? a
ddr=192.168.100.1 terminal=? res=success'
type=USER_END msg=audit(1492453136.062:481): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:sess
ion_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="ro
ot" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1492453136.063:482): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:set
cred grantors=pam_env,pam_unix,pam_reauthorize acct="root" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh
 res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.063:483): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:43:63:95:4b:66:1f:fd:ca:5b:26:56:62:ee:5e:38:21:ed:a9:1b:64:8d:b1:ef:29:7d:ee:76:41:af:18:b7 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:484): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:fc:0e:72:92:8d:8e:8d:c0:3f:6a:9a:02:9e:59:73:a9:18:87:e3:bf:f2:28:d3:dd:30:06:e5:41:f4:f1:66 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:485): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'

Similar errors occur when port 5,000 is listed in the Apache configuration file, and similar errors also occur on Fedora 25 and RHEL 7.

History

#2 Updated by ttereshc over 3 years ago

@ipanova will comment on the issue, we will triage it next time.

#3 Updated by bmbouter over 3 years ago

We should first pick the right ports to run on. I'm not sure what those are.

Once those are done we should see if there is a refpol interface that provides access to those ports. Once we know the port we can look for these.

As an aside this part of the comment isn't usable because it's showing an error:

[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]

I think ^ needs to be run with sudo and/or you need to install the selinux-policy-devel package.

#4 Updated by Ichimonji10 over 3 years ago

I think ^ needs to be run with sudo and/or you need to install the selinux-policy-devel package.

Installing selinux-policy-devel did the trick.

[root@fedora-24-pulp-2-12 ~]# audit2allow -al

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
allow httpd_t commplex_main_port_t:tcp_socket name_bind;
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral

require {
        type httpd_t;
}

#============= httpd_t ==============
corenet_tcp_bind_commplex_main_port(httpd_t)

#5 Updated by Ichimonji10 over 3 years ago

We should first pick the right ports to run on. I'm not sure what those are.

I chatted with Dennis and Elyezer about this. I think the right port is port 5000.

Ports 2375, 2376 and 2377 are set aside for Docker. However, those ports seem to be for controlling the local Docker daemon, not for talking to docker registries. In other words, the Docker daemon talks to registries on some arbitrary port (like port 80, 443 or 5,000), and scripts for programmatically controlling the Docker daemon talk on ports 2375, 2376 and/or 2377.

At least, that's my understanding of the situation.

#6 Updated by ttereshc over 3 years ago

  • Priority changed from Normal to High
  • Severity changed from 2. Medium to 3. High
  • Triaged changed from No to Yes

#7 Updated by ipanova@redhat.com over 3 years ago

  • Parent task set to #1166

#8 Updated by bmbouter over 1 year ago

  • Status changed from NEW to CLOSED - WONTFIX

#9 Updated by bmbouter over 1 year ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#10 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF