Project

General

Profile

Feature #22317

Introduce websockify_can_connect_all boolean for non-VNC connections

Added by Diddi Oskarsson 11 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

On a fresh all-in-one installation of foreman with foreman-installer --scenario katello on Centos 7 I can't get the noVNC console to work.

When trying to connect to the console I get the following in audit.log

type=AVC msg=audit(1516297409.070:335): avc:  denied  { name_connect } for  pid=1728 comm="websockify.py" dest=39124 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1516297409.070:335): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7ffc006407d0 a2=10 a3=1 items=0 ppid=1720 pid=1728 auid=4294967295 uid=993 gid=990 euid=993 suid=993 fsuid=993 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm="websockify.py" exe="/usr/bin/python2.7" subj=system_u:system_r:websockify_t:s0 key=(null)

I have successfully installed the server certificate and disabling SELinux (setenforce 0) will make the console work. However I can't get it to work with SELinux enabled, even with foreman-selinux and katello-selinux packages installed.

Server is Centos 7.4
Foreman 1.16.0
Katello 3.5.0
Foreman-selinux 1.16.0
Katello-selinux 3.0.2

Associated revisions

Revision 3efbd524 (diff)
Added by Lukas Zapletal 7 months ago

Fixes #22317 - introduced websockify_can_connect_all

History

#1 Updated by Lukas Zapletal 11 months ago

  • Subject changed from SELinux denies websockify on Centos 7 to Introduce websockify_can_connect_all boolean for non-VNC connections
  • Tracker changed from Bug to Feature

Hello there, our policy only allows connecting to VNC ports to websockify:

https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L394

You are trying to connect to some weird port identified as ephemeral_port_t, you need to tune the policy for that. Allow that or put websockify to permissive. Or modify firewall so you connect to what is considered a VNC port by SELinux.

I am turning this into work item of adding boolean websockify_can_connect_all that will do the job.

#2 Updated by Diddi Oskarsson 11 months ago

Thanks for your response.
I'm not sure why it's using a weird port as I haven't made any changes to the system or settings after the initial installation (at least not intentionally).

In any case, setting it to permissive as you suggest is working fine

[root@foreman ~]# semanage permissive -a websockify_t
[root@foreman ~]# semanage permissive -l

Customized Permissive Types

websockify_t

#3 Updated by Lukas Zapletal 11 months ago

Thanks, I will do the boolean in a minute so you can turn it on in future releases. Out of curiousity, what virtualization are you connecting to?

#4 Updated by Diddi Oskarsson 11 months ago

I'm connecting to a newly installed XenServer 7.3 pool.

#5 Updated by The Foreman Bot 11 months ago

  • Assignee set to Lukas Zapletal
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/77 added

#6 Updated by Lukas Zapletal 7 months ago

  • Legacy Backlogs Release (now unused) set to 330

#7 Updated by Anonymous 7 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#8 Updated by Anonymous 5 months ago

  • Target version deleted (1.18.0)

Also available in: Atom PDF