Bug #37967
closedFailed to access webconsole from Satellite GUI
Description
Description of problem:
Web console page printed no error and a "Try again" button
In the "foreman-ssl_access_ssl.log", we saw 500 status code as shown below:
GET /webcon/cockpit+=example.client.com/login HTTP/2.0" 500 3252 "-"
Run the foreman-cockpit-session script manually using foreman user got "Operation not permitted" error as shown below:
# su - foreman -s /bin/bash -c "FOREMAN_COCKPIT_SETTINGS=/etc/foreman/cockpit/foreman-cockpit-session.yml /usr/sbin/foreman-cockpit-session example.client.com -bash: /usr/sbin/foreman-cockpit-session: Operation not permitted
This is because the Satellite 6.15 is running the fapolicyd and the service is blocking foreman user from running the script.
When running the fapolicyd in the debug mode, we can see the following rule is needed but missing.
rule=21 dec=deny_audit perm=execute auid=-1 pid=xxxx exe=/usr/libexec/cockpit-ws : path=/usr/share/gems/gems/foreman_remote_execution-12.0.7/extra/cockpit/foreman-cockpit-session ftype=text/x-ruby trust=0 rule=21 dec=deny_audit perm=open auid=-1 pid=xxxx exe=/usr/libexec/cockpit-ws : path=/usr/share/gems/gems/foreman_remote_execution-12.0.7/extra/cockpit/foreman-cockpit-session ftype=text/x-ruby trust=0
How reproducible:
Easy
Is this issue a regression from an earlier version:
Possibly. Since fapolicyd support is added since 6.15
Steps to Reproduce:
1. Prepare a Satellite 6.15 with fapolicyd running and setup as per documented in the installation guide. It should install the following rules rpms:
foreman-fapolicyd-1.0.1-2.el8sat.noarch foreman-proxy-fapolicyd-1.0.1-2.el8sat.noarch
2. Have a client register to the Satellite and make sure ssh remote exectuion is setup and working.
3. Navigate to the client's host page and run "Web Console".
Actual behavior:
Error as described above.
Expected behavior:
No error
Business Impact / Additional info:
Issue is fixed after adding the following rule to "/etc/fapolicyd/rules.d/60-foreman.rules".
allow perm=any exe=/usr/libexec/cockpit-ws : dir=/usr/share/gems/gems/ ftype=text/x-ruby trust=0
and reload fapolicyd wit the command below:
fagenrules --check fagenrules --load systemctl restart fapolicyd
Updated by The Foreman Bot 25 days ago
- Status changed from New to Ready For Testing
- Assignee set to Hao Yu
- Pull request https://github.com/theforeman/foreman-fapolicyd/pull/11 added
Updated by Adam Ruzicka 22 days ago
- Status changed from Ready For Testing to Resolved