Merge pull request #41 from mikedep333/proxies_and_custom_ports

Proxies and custom ports

README.md

@@ -5,7 +5,7 @@ The SELinux policy for Pulp 3.Y releases.
 ## Building
 
 ```
-sudo yum install -y selinux-policy-devel  policycoreutils
+sudo yum install -y selinux-policy-devel policycoreutils
 git clone https://github.com/pulp/pulpcore-selinux
 cd pulpcore-selinux
 
@@ -17,9 +17,9 @@ make -f /usr/share/selinux/devel/Makefile pulpcore_rhsmcertd.pp
 ## Installing
 
 ```
-semodule -i pulpcore_port.pp
-semodule -i pulpcore.pp
-semodule -i pulpcore_rhsmcertd.pp
+sudo semodule -i pulpcore_port.pp
+sudo semodule -i pulpcore.pp
+sudo semodule -i pulpcore_rhsmcertd.pp
 ```
 
 ## Labeling pulpcore\_port
@@ -28,20 +28,48 @@ semodule -i pulpcore_rhsmcertd.pp
 
 Apply the `pulpcore_port_t` SELinux type to ports 24816 and 24817 with:
 
-`semanage port -a -t pulpcore_port_t -p tcp 24816-24817`
+`sudo semanage port -a -t pulpcore_port_t -p tcp 24816-24817`
 
 
 ## Uninstalling
 
 Uninstall in the following order:
 
 ```
-semanage port -d -t pulpcore_port_t -p tcp 24816-24817
-semodule -r pulpcore_rhsmcertd
-semodule -r pulpcore
-semodule -r pulpcore_port
+sudo semanage port -d -t pulpcore_port_t -p tcp 24816-24817
+sudo semodule -r pulpcore_rhsmcertd
+sudo semodule -r pulpcore
+sudo semodule -r pulpcore_port
 ```
 
+# Additional configuration
+
+## Adding support for remote repos running on custom ports
+
+**Optional** By default, pulp is allowed to connect to web servers running on several standard or semi-standard ports: `80, 81, 443, 488, 8008, 8009, 8443, 9000`.
+
+If any of the remote repos you are trying to connect to are hosted on non-standard
+HTTP/HTTPS ports, you can configure Pulp to be able to talk to them like in the following example
+for port `10011`.
+
+`sudo semanage port -a  -t http_port_t -p tcp 10011`
+
+## Adding support for proxy servers running on custom ports
+
+**Optional** By default, pulp is allowed to connect to web proxy servers on several standard or semi-standard ports: `3128, 3401, 4827, 8080, 8118, 8123, 10001-10010`.
+
+If Pulp is configured to use a proxy server (in order to talk to remote repos), but the proxy
+server is on a non-standard port, you can configure Pulp to be able to talk to them like in the
+following example for port `10012`.
+
+`sudo semanage port -a  -t http_cache_port_t -p tcp 10012`
+
+**NOTE**: Technically Pulp can talk to any remote repo or proxy server running on any SELinux-recognized
+ports for web servers or for proxy servers. (They are effectively one cumulative list.)
+
+**NOTE**: To see the complete list of these ports currently recognized on your system, run:
+`sudo semanage port -l | grep -E "^http_port_t|^http_cache_port_t|^squid_port_t" | grep tcp`
+
 # Development
 
 ## Release Process

pulpcore.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore, 1.2.6)
+policy_module(pulpcore, 1.2.7)
 
 require {
 	type httpd_config_t;
@@ -142,11 +142,13 @@ corecmd_exec_bin(pulpcore_server_t)
 corecmd_exec_shell(pulpcore_server_t)
 
 # mongod for pulp-2to3-migration plugin
+corenet_tcp_connect_http_cache_port(pulpcore_t)
 corenet_tcp_connect_http_port(pulpcore_t)
 corenet_tcp_connect_mongod_port(pulpcore_t)
 corenet_tcp_connect_postgresql_port(pulpcore_t)
 corenet_tcp_connect_pulpcore_port(pulpcore_t)
 corenet_tcp_connect_redis_port(pulpcore_t)
+corenet_tcp_connect_squid_port(pulpcore_t)
 corenet_tcp_bind_pulpcore_port(pulpcore_server_t)
 corenet_tcp_connect_http_port(pulpcore_server_t)
 corenet_tcp_connect_mongod_port(pulpcore_server_t)

pulpcore_port.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore_port, 1.2.6)
+policy_module(pulpcore_port, 1.2.7)
 
 gen_require(`
     attribute port_type;

pulpcore_rhsmcertd.te

@@ -1,4 +1,4 @@
-policy_module(pulpcore_rhsmcertd, 1.2.6)
+policy_module(pulpcore_rhsmcertd, 1.2.7)
 
 gen_require(`
 	type pulpcore_server_t, rhsmcertd_config_t;