Project

Profile

Help

Issue #2719

closed

Story #1166: As a user, I can install a crane-selinux rpm

Need to choose a port, and ship SELinux policy for network connections

Added by Ichimonji10 over 7 years ago. Updated over 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
High
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version - Crane:
Platform Release:
Target Release - Crane:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

The Crane documentation weakly suggests that port 5,000 be used for its configuration. Additionally, the Crane RPM package does not (AFAICT) install an SELinux policy that makes some port available for use. Can we more strongly suggest which port should be used and make the Crane RPM package install an SELinux policy making that network port available for use?

There's at least two good options for which port to use. One is to use 5,000, because we already weakly suggest that users use this port, and because the Docker documentation weakly suggests that port 5,000 be used for private registries. Another option is to use the official ports assigned to Docker. From /etc/services:

docker          2375/tcp                # Docker REST API (plain text)
docker-s        2376/tcp                # Docker REST API (ssl)

Given that Crane implements a sub-set of the Docker API, why not use the ports set aside for the Docker API?

Here's what happens when the following configuration file is installed in /etc/httpd/conf.d/pulp_crane.conf:

# Place this config in /etc/httpd/conf.d/. Use with Apache 2.4+. See:
#
# * https://docs.pulpproject.org/plugins/crane/index.html
# * https://modwsgi.readthedocs.io/en/develop/user-guides/quick-configuration-guide.html
#
# Note the following entries in /etc/services:
#
#     docker           2375/tcp
#     docker-s         2376/tcp
#
# At the same time, the Docker documentation weakly suggests using port 5000/tcp
# for a private registry.
#
Listen 2375
<VirtualHost *:2375>
    WSGIScriptAlias / /usr/share/crane/crane.wsgi
    <Location /crane>
        Require host localhost
    </Location>
    <Directory /usr/share/crane/>
        Require all granted
    </Directory>
</VirtualHost>

When systemctl start httpd is executed on Fedora 24, the following is logged:

[root@fedora-24-pulp-2-12 ~]# journalctl -u httpd | tail
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Starting The Apache HTTP Server...
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.100.131. Set the 'ServerName' directive globally to suppress this message
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:2375
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: no listening sockets available, shutting down
Apr 17 14:39:03 fedora-24-pulp-2-12 httpd[3607]: AH00015: Unable to open logs
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: Failed to start The Apache HTTP Server.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Unit entered failed state.
Apr 17 14:39:03 fedora-24-pulp-2-12 systemd[1]: httpd.service: Failed with result 'exit-code'.

Here's some debugging output:

[root@fedora-24-pulp-2-12 ~]# audit2allow -al

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
allow httpd_t commplex_main_port_t:tcp_socket name_bind;
[root@fedora-24-pulp-2-12 ~]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-24-pulp-2-12 ~]# cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1492453129.831:473): pid=691 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0
:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1492453129.841:474): policy loaded auid=0 ses=3
type=USER_AVC msg=audit(1492453134.644:475): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  re
ceived setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1492453134.644:476): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  re
ceived policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1492453134.689:477): avc:  denied  { name_bind } for  pid=1867 comm="httpd" src=5000 scontext=system_u:system_r:htt
pd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=1
type=SERVICE_START msg=audit(1492453134.743:478): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='uni
t=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.054:479): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1081 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.055:480): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=session fp=? direction=both spid=1081 suid=0 rport=55880 laddr=192.168.100.131 lport=22  exe="/usr/sbin/sshd" hostname=? a
ddr=192.168.100.1 terminal=? res=success'
type=USER_END msg=audit(1492453136.062:481): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:sess
ion_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="ro
ot" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1492453136.063:482): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:set
cred grantors=pam_env,pam_unix,pam_reauthorize acct="root" exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh
 res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.063:483): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:43:63:95:4b:66:1f:fd:ca:5b:26:56:62:ee:5e:38:21:ed:a9:1b:64:8d:b1:ef:29:7d:ee:76:41:af:18:b7 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:484): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:6c:fc:0e:72:92:8d:8e:8d:c0:3f:6a:9a:02:9e:59:73:a9:18:87:e3:bf:f2:28:d3:dd:30:06:e5:41:f4:f1:66 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1492453136.065:485): pid=1044 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=d
estroy kind=server fp=SHA256:82:0b:b4:05:e1:a8:86:b9:12:b9:63:2c:93:47:23:02:ac:ef:28:f3:c3:d9:04:83:e7:de:29:4f:04:c9:50:83 direction
=? spid=1044 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.100.1 terminal=? res=success'

Similar errors occur when port 5,000 is listed in the Apache configuration file, and similar errors also occur on Fedora 25 and RHEL 7.

Also available in: Atom PDF