Project

General

Profile

Actions

Feature #22317

closed

Introduce websockify_can_connect_all boolean for non-VNC connections

Added by Diddi Oskarsson about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

On a fresh all-in-one installation of foreman with foreman-installer --scenario katello on Centos 7 I can't get the noVNC console to work.

When trying to connect to the console I get the following in audit.log

type=AVC msg=audit(1516297409.070:335): avc:  denied  { name_connect } for  pid=1728 comm="websockify.py" dest=39124 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1516297409.070:335): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7ffc006407d0 a2=10 a3=1 items=0 ppid=1720 pid=1728 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="websockify.py" exe="/usr/bin/python2.7" subj=system_u:system_r:websockify_t:s0 key=(null)

I have successfully installed the server certificate and disabling SELinux (setenforce 0) will make the console work. However I can't get it to work with SELinux enabled, even with foreman-selinux and katello-selinux packages installed.

Server is Centos 7.4
Foreman 1.16.0
Katello 3.5.0
Foreman-selinux 1.16.0
Katello-selinux 3.0.2

Actions #1

Updated by Lukas Zapletal about 6 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from SELinux denies websockify on Centos 7 to Introduce websockify_can_connect_all boolean for non-VNC connections

Hello there, our policy only allows connecting to VNC ports to websockify:

https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L394

You are trying to connect to some weird port identified as ephemeral_port_t, you need to tune the policy for that. Allow that or put websockify to permissive. Or modify firewall so you connect to what is considered a VNC port by SELinux.

I am turning this into work item of adding boolean websockify_can_connect_all that will do the job.

Actions #2

Updated by Diddi Oskarsson about 6 years ago

Thanks for your response.
I'm not sure why it's using a weird port as I haven't made any changes to the system or settings after the initial installation (at least not intentionally).

In any case, setting it to permissive as you suggest is working fine

[root@foreman ~]# semanage permissive -a websockify_t
[root@foreman ~]# semanage permissive -l

Customized Permissive Types

websockify_t
Actions #3

Updated by Lukas Zapletal about 6 years ago

Thanks, I will do the boolean in a minute so you can turn it on in future releases. Out of curiousity, what virtualization are you connecting to?

Actions #4

Updated by Diddi Oskarsson about 6 years ago

I'm connecting to a newly installed XenServer 7.3 pool.

Actions #5

Updated by The Foreman Bot about 6 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Pull request https://github.com/theforeman/foreman-selinux/pull/77 added
Actions #6

Updated by Lukas Zapletal almost 6 years ago

  • translation missing: en.field_release set to 330
Actions #7

Updated by Anonymous almost 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #8

Updated by Anonymous almost 6 years ago

  • Target version deleted (1.18.0)
Actions

Also available in: Atom PDF