Bug #35093
open
Missing selinux rule for ssh + puma + kerberos
Description
OS: CentOS 7.9
TFM: 2.1.4 (upgrades in progress)
We utilize kerberos tickets for ssh instead of keys. All hosts are joined to the domain for authentication leveraging sssd. With selinux enabled foreman is unable to connect to our libvirt instances. Shifting selinux to permissive allows it to connect. I haven't had a chance to dig into what a possible rule to address this would look like for this yet.
Updated by Ben Magistro almost 2 years ago
I need to do some more reading on on this but using a combination of what was being added to the log with enforce on + off while testing the connection combined with audit2allow I came up with the following policy + enabling `foreman_rails_can_connect_all`. I am not sure yet what, if any of these need to be added here or if this is going to be something we need to maintain as an artifact of how we handle ssh with kerberos tickets.
module local 1.0;
require {
type foreman_rails_t;
type system_cronjob_t;
type sssd_public_t;
type sssd_var_lib_t;
class dir read;
class dir search;
class file { getattr open read };
class key { read setattr write };
}
#============= foreman_rails_t ==============
allow foreman_rails_t self:key { read setattr write };
allow foreman_rails_t sssd_public_t:dir read;
allow foreman_rails_t sssd_public_t:file { getattr open read };
allow foreman_rails_t sssd_var_lib_t:dir search;
allow foreman_rails_t system_cronjob_t:key { read setattr write };