selinux prevents httpd binding to 5000

[rgarrigue]

Hi

The module couldn't start httpd

==> test.vagrant.local: Error: Could not start Service[httpd]: Execution of '/bin/systemctl start httpd' returned 1: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
==> test.vagrant.local: Error: /Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/bin/systemctl start httpd' returned 1: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Because httpd couldn't use port 5000

[root@test vagrant]# journalctl -u httpd
-- Logs begin at Tue 2017-03-07 14:59:06 CET, end at Tue 2017-03-07 15:14:34 CET. --
Mar 07 15:09:24 test.vagrant.local systemd[1]: Starting The Apache HTTP Server...
Mar 07 15:09:24 test.vagrant.local httpd[29148]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
Mar 07 15:09:24 test.vagrant.local httpd[29148]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
Mar 07 15:09:24 test.vagrant.local httpd[29148]: no listening sockets available, shutting down
Mar 07 15:09:24 test.vagrant.local httpd[29148]: AH00015: Unable to open logs
Mar 07 15:09:24 test.vagrant.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 07 15:09:24 test.vagrant.local kill[29150]: kill: cannot find process ""
Mar 07 15:09:24 test.vagrant.local systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 07 15:09:24 test.vagrant.local systemd[1]: Failed to start The Apache HTTP Server.
Mar 07 15:09:24 test.vagrant.local systemd[1]: Unit httpd.service entered failed state.
Mar 07 15:09:24 test.vagrant.local systemd[1]: httpd.service failed.

... because selinux is a wonderful security feature

[root@test vagrant]# grep httpd /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1488895764.283:1447): avc:  denied  { name_bind } for  pid=29148 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1488895764.283:1448): avc:  denied  { name_bind } for  pid=29148 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket

Here's the boolean to allow

# grep httpd /var/log/audit/audit.log | grep denied | audit2allow -M httpd5000; cat httpd5000.te => #!!!! This avc can be allowed using the boolean 'httpd_use_openstack'
selinux::boolean { 'httpd_use_openstack': }

[ekohl]

Would you mind submitting a pull request for this?

[rgarrigue]

Done. Though I'm not sure about the location of spec check.

[ekohl]

The problem is crane binding on port 5000. Within Katello this is covered in https://github.com/Katello/katello-selinux/blob/9090421713e04402e5fa5b2ddbf8e577ac52d108/katello.te#L88-L99 but if you install it standalone then this is a problem.