SELinux

Foreman on RHEL6 and Fedoras fully supports SELinux and this is installed and enabled by default, therefore SELinux in Enforcing mode is recommended. Our policy can be downloaded https://github.com/theforeman/foreman-selinux

How to report errors

Please open ordinary issues and set component to "SELinux". Also give us information about how to reproduce denials and also paste relevant denials in the comment:

grep AVC /var/log/audit/audit.log

Also note that we usually need output of this command:

ps auxwwwZ

Providing information via foreman-debug command also helps us with investigating because it contains full audit.log (compressed).

Available SELinux booleans

These are booleans which allows you to tune Foreman policy. They can be enabled with

semanage boolean --on boolean_name

or disabled with

semanage boolean --off boolean_name

passenger_run_foreman

On by default. Whether Foreman is running under Phusion Passenger or not.

passenger_run_puppetmaster

On by default. Whether Puppet Master is running under Phusion Passenger or not.

passenger_can_connect_all

Off by default. Foreman can be allowed to access any other port than those defined bellow using this boolean setting.

SELinux ports

Foreman is allowed to connect to the following ports:

  • httpd_port_t (80, 81, 443, 488, 8008, 8009, 8443, 9000)
  • websm_port_t (9090)
  • foreman_proxy_port_t (empty by default)
  • postgresql_port_t (5432)
  • virt_port_t (16509, 16514)
  • ssh_port_t (22)
  • vnc_port_t (5900-5999)

Changing Foreman Proxy port

Foreman Proxy is usually configured on port 8443 or 9090, but when needed, any port can be defined:

semanage port -a -t foreman_proxy_port_t -p tcp 9876

Tips for debugging

If you identify part of code you want to test separatey, you can run a script in passenger_t policy easily

    runcon -u system_u -r system_r -t unconfined_t -- runcon -t passenger_t -- your_script.rb

To reinitialize selinux use

semodule -B

or

setenforce 1 && setenforce 0