Bug #7729

Websockify not allowed to read certs

Added by Stephen Benjamin about 3 years ago. Updated about 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Stephen Benjamin
Category:Compute resources
Target version:Foreman - Sprint 29
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman-selinux/pull/34
Story points-
Velocity based estimate-
Release1.6.1Release relationshipAuto

Description

Katello uses certs in /etc/pki/katello for websockets, but access to these is denied by SELinux:

type=AVC msg=audit(1411858309.569:172): avc:  denied  { getattr } for  pid=24576 comm="websockify.py" path="/etc/pki/katello/private/katello-apache.key" dev=dm-0 ino=1838759 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1411858309.569:172): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffd3c6b3a0 a2=7fffd3c6b3a0 a3=18 items=0 ppid=24575 pid=24576 auid=0
type=AVC msg=audit(1411858309.570:173): avc: denied { read } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1411858309.570:173): avc: denied { open } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file

Associated revisions

Revision 01ba3e1e
Added by Stephen Benjamin about 3 years ago

fixes #7729 - allow websockify to read certs

History

#1 Updated by Stephen Benjamin about 3 years ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Stephen Benjamin
  • Target version set to Sprint 29
  • Pull request https://github.com/theforeman/foreman-selinux/pull/34 added

#2 Updated by Dominic Cleal about 3 years ago

  • Category set to Compute resources
  • Release set to 1.6.1

#3 Updated by Anonymous about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF