Actions
Bug #16856
closed
SELinux is preventing access to websockify console from Foreman
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Plugins
Target version:
-
Description
When running standalone Foreman, Foreman console connections to VMs do not work. From audit.log
type=AVC msg=audit(1476167279.514:333250): avc: denied { getattr } for pid=53464 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc: denied { open } for pid=53478 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc: denied { read } for pid=53478 comm="websockify.py" name="foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
After disabling SELinux or installing package katello-selinux-3.0.1-1.el7 problem does not occur.
There must be some additional SELinux issues not logged in audit.log (I tried with custom module allowing websockify_t access to cert_t and still did not work).
I suspect, the change https://github.com/theforeman/foreman-selinux/commit/96804f360a7e0dec6e65bafd14970f11299fb6f0#diff-436493bef633fed53e11796b45ca37e2 introduced in 1.12 removed some SELinux rules required for websockify/console to function for Foreman installations without Katello.
Updated by 
Updated by 
Updated by
Actions