Bug #16856
closed
SELinux is preventing access to websockify console from Foreman
Description
When running standalone Foreman, Foreman console connections to VMs do not work. From audit.log
type=AVC msg=audit(1476167279.514:333250): avc: denied { getattr } for pid=53464 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc: denied { open } for pid=53478 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc: denied { read } for pid=53478 comm="websockify.py" name="foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
After disabling SELinux or installing package katello-selinux-3.0.1-1.el7 problem does not occur.
There must be some additional SELinux issues not logged in audit.log (I tried with custom module allowing websockify_t access to cert_t and still did not work).
I suspect, the change https://github.com/theforeman/foreman-selinux/commit/96804f360a7e0dec6e65bafd14970f11299fb6f0#diff-436493bef633fed53e11796b45ca37e2 introduced in 1.12 removed some SELinux rules required for websockify/console to function for Foreman installations without Katello.
Updated by Lukas Zapletal over 7 years ago
- Assignee set to Lukas Zapletal
Foreman core is configured with /var/lib/puppet/ssl/private_keys/ certs which are of type puppet_var_lib_t.
Updated by The Foreman Bot over 7 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-selinux/pull/62 added
Updated by Lukas Zapletal over 7 years ago
- Status changed from Ready For Testing to Rejected
- Assignee deleted (
Lukas Zapletal) - Pull request deleted (
https://github.com/theforeman/foreman-selinux/pull/62)
Allright, I take the change back.
This is correct behavior, when katello-selinux package is not installed, websockify can't read cert_t files. That's expected.
If you installed via katello-installer (or foreman-installer --scenario katello), katello-selinux should have been present. If not, it's a bug on the installer project.
The rule you mention is in the katello-selinux codebase (it was moved from foreman-selinux). If you made an upgrade, you need to install the package.
Updated by Raul Laansoo over 7 years ago
If you installed via katello-installer (or foreman-installer --scenario katello), katello-selinux should have been present. If not, it's a bug on the installer project.
This Foreman instance was installed using Puppet via puppet-foreman module.
Updated by Lukas Zapletal over 7 years ago
This Foreman instance was installed using Puppet via puppet-foreman module.
You must be missing the katello-selinux package, check your puppet setup and make sure it's installed.
Feel free to reopen if you find an issue with our installer or module.