Issue #2719
closed
Story #1166: As a user, I can install a crane-selinux rpm
Need to choose a port, and ship SELinux policy for network connections
Description
The Crane documentation weakly suggests that port 5,000 be used for its configuration. Additionally, the Crane RPM package does not (AFAICT) install an SELinux policy that makes some port available for use. Can we more strongly suggest which port should be used and make the Crane RPM package install an SELinux policy making that network port available for use?
There's at least two good options for which port to use. One is to use 5,000, because we already weakly suggest that users use this port, and because the Docker documentation weakly suggests that port 5,000 be used for private registries. Another option is to use the official ports assigned to Docker. From /etc/services:
docker 2375/tcp # Docker REST API (plain text)
docker-s 2376/tcp # Docker REST API (ssl)
Given that Crane implements a sub-set of the Docker API, why not use the ports set aside for the Docker API?
Here's what happens when the following configuration file is installed in /etc/httpd/conf.d/pulp_crane.conf:
# Place this config in /etc/httpd/conf.d/. Use with Apache 2.4+. See:
#
# * https://docs.pulpproject.org/plugins/crane/index.html
# * https://modwsgi.readthedocs.io/en/develop/user-guides/quick-configuration-guide.html
#
# Note the following entries in /etc/services:
#
# docker 2375/tcp
# docker-s 2376/tcp
#
# At the same time, the Docker documentation weakly suggests using port 5000/tcp
# for a private registry.
#
Listen 2375
<VirtualHost *:2375>
WSGIScriptAlias / /usr/share/crane/crane.wsgi
<Location /crane>
Require host localhost
</Location>
<Directory /usr/share/crane/>
Require all granted
</Directory>
</VirtualHost>
When systemctl start httpd is executed on Fedora 24, the following is logged:
[root@fedora-24-pulp-2-12 ~]# journalctl -u httpd | tail
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Starting The Apache HTTP Server...
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.100.131. Set the 'ServerName' directive globally to suppress this message
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: no listening sockets available, shutting down
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00015: Unable to open logs
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Failed to start The Apache HTTP Server.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Unit entered failed state.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Failed with result 'exit-code'.
Here's some debugging output:
[root@fedora-24-pulp-2-12 ~]# audit2allow -al
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
allow httpd_t commplex_main_port_t:tcp_socket name_bind;
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-24-pulp-2-12 ~]# cat /var/log/audit/audit.log
type=USER_AVC msg=audit(1492453129.831:473): pid=691 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0
:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1492453129.841:474): policy loaded auid=0 ses=3
type=USER_AVC msg=audit(1492453134.644:475): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: re
ceived setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1492453134.644:476): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: re
ceived policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1492453134.689:477): avc: denied { name_bind } for pid=1867 comm="httpd" src=5000 scontext=system_u:system_r:htt
pd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_START msg=audit(1492453134.743:478): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='uni
t=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.054:479): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1081 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.055:480): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=session fp=? direction=both spid=1081 suid=0 rport=55880 laddr=192.168.100.131 lport=22 exe="/usr/sbin/sshd" hostname=? a
ddr=192.168.100.1 terminal=? res=success'
type=USER_END msg=audit(1492453136.062:481): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:sess
ion_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="ro
ot" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1492453136.063:482): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:set
cred grantors=pam_env,pam_unix,pam_reauthorize acct="root" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh
res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.063:483): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:43:63:95:4b:66:1f:fd:ca:5b:26:56:62:ee:5e:38:21:ed:a9:1b:64:8d:b1:ef:29:7d:ee:76:41:af:18:b7 direction
=? spid=1044 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:484): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:fc:0e:72:92:8d:8e:8d:c0:3f:6a:9a:02:9e:59:73:a9:18:87:e3:bf:f2:28:d3:dd:30:06:e5:41:f4:f1:66 direction
=? spid=1044 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:485): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1044 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
Similar errors occur when port 5,000 is listed in the Apache configuration file, and similar errors also occur on Fedora 25 and RHEL 7.
Updated by Ichimonji10 about 7 years ago
This issue blocks https://github.com/pulp/pulp_packaging/pull/346
Updated by ttereshc about 7 years ago
@ipanova will comment on the issue, we will triage it next time.
Updated by bmbouter almost 7 years ago
We should first pick the right ports to run on. I'm not sure what those are.
Once those are done we should see if there is a refpol interface that provides access to those ports. Once we know the port we can look for these.
As an aside this part of the comment isn't usable because it's showing an error:
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
I think ^ needs to be run with sudo and/or you need to install the selinux-policy-devel package.
Updated by Ichimonji10 almost 7 years ago
I think ^ needs to be run with sudo and/or you need to install the selinux-policy-devel package.
Installing selinux-policy-devel did the trick.
[root@fedora-24-pulp-2-12 ~]# audit2allow -al
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
allow httpd_t commplex_main_port_t:tcp_socket name_bind;
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
require {
type httpd_t;
}
#============= httpd_t ==============
corenet_tcp_bind_commplex_main_port(httpd_t)
Updated by Ichimonji10 almost 7 years ago
We should first pick the right ports to run on. I'm not sure what those are.
I chatted with Dennis and Elyezer about this. I think the right port is port 5000.
Ports 2375, 2376 and 2377 are set aside for Docker. However, those ports seem to be for controlling the local Docker daemon, not for talking to docker registries. In other words, the Docker daemon talks to registries on some arbitrary port (like port 80, 443 or 5,000), and scripts for programmatically controlling the Docker daemon talk on ports 2375, 2376 and/or 2377.
At least, that's my understanding of the situation.
Updated by ttereshc almost 7 years ago
- Priority changed from Normal to High
- Severity changed from 2. Medium to 3. High
- Triaged changed from No to Yes
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.