Project

General

Profile

Actions

Bug #16856

closed

SELinux is preventing access to websockify console from Foreman

Added by Raul Laansoo about 8 years ago. Updated about 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Plugins
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When running standalone Foreman, Foreman console connections to VMs do not work. From audit.log

type=AVC msg=audit(1476167279.514:333250): avc:  denied  { getattr } for  pid=53464 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc:  denied  { open } for  pid=53478 comm="websockify.py" path="/etc/pki/tls/certs/foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1476167292.532:333251): avc:  denied  { read } for  pid=53478 comm="websockify.py" name="foreman.crt" dev="dm-0" ino=203438499 scontext=system_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file

After disabling SELinux or installing package katello-selinux-3.0.1-1.el7 problem does not occur.

There must be some additional SELinux issues not logged in audit.log (I tried with custom module allowing websockify_t access to cert_t and still did not work).

I suspect, the change https://github.com/theforeman/foreman-selinux/commit/96804f360a7e0dec6e65bafd14970f11299fb6f0#diff-436493bef633fed53e11796b45ca37e2 introduced in 1.12 removed some SELinux rules required for websockify/console to function for Foreman installations without Katello.

Actions

Also available in: Atom PDF