Project

General

Profile

Actions
Copy link

Bug #37967

closed

Failed to access webconsole from Satellite GUI

Added by Hao Yu 4 days ago. Updated about 17 hours ago.

Status:
Resolved
Priority:
Normal
Assignee:
Hao Yu
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-fapolicyd/pull/11
Fixed in Releases:
Found in Releases:
Red Hat JIRA:
SAT-29125

Description

Description of problem:

Web console page printed no error and a "Try again" button

In the "foreman-ssl_access_ssl.log", we saw 500 status code as shown below:

GET /webcon/cockpit+=example.client.com/login HTTP/2.0" 500 3252 "-"

 

Run the foreman-cockpit-session script manually using foreman user got "Operation not permitted" error as shown below:

# su - foreman -s /bin/bash -c "FOREMAN_COCKPIT_SETTINGS=/etc/foreman/cockpit/foreman-cockpit-session.yml /usr/sbin/foreman-cockpit-session example.client.com
-bash: /usr/sbin/foreman-cockpit-session: Operation not permitted

 

This is because the Satellite 6.15 is running the fapolicyd and the service is blocking foreman user from running the script.

 
When running the fapolicyd in the debug mode, we can see the following rule is needed but missing.

rule=21 dec=deny_audit perm=execute auid=-1 pid=xxxx exe=/usr/libexec/cockpit-ws : path=/usr/share/gems/gems/foreman_remote_execution-12.0.7/extra/cockpit/foreman-cockpit-session ftype=text/x-ruby trust=0

rule=21 dec=deny_audit perm=open auid=-1 pid=xxxx exe=/usr/libexec/cockpit-ws : path=/usr/share/gems/gems/foreman_remote_execution-12.0.7/extra/cockpit/foreman-cockpit-session ftype=text/x-ruby trust=0

How reproducible:

Easy

 

Is this issue a regression from an earlier version:

Possibly. Since fapolicyd support is added since 6.15

 

Steps to Reproduce:

1. Prepare a Satellite 6.15 with fapolicyd running and setup as per documented in the installation guide. It should install the following rules rpms:

foreman-fapolicyd-1.0.1-2.el8sat.noarch
foreman-proxy-fapolicyd-1.0.1-2.el8sat.noarch

 

2. Have a client register to the Satellite and make sure ssh remote exectuion is setup and working.

3. Navigate to the client's host page and run "Web Console".

 

Actual behavior:
Error as described above.

Expected behavior:
No error

 

Business Impact / Additional info:

Issue is fixed after adding the following rule to "/etc/fapolicyd/rules.d/60-foreman.rules".
allow perm=any exe=/usr/libexec/cockpit-ws : dir=/usr/share/gems/gems/ ftype=text/x-ruby trust=0
and reload fapolicyd wit the command below:

fagenrules --check
fagenrules --load
systemctl restart fapolicyd

Actions
Copy link

Also available in: Atom PDF