Tracker #7249
closedPolicy with workarounds for Foreman w/ Katello
0%
Description
There are several workarounds that needs to be solved to get Foreman with Katello working on RHEL6 and RHEL7. I want to create a separate policy that will carry those.
Ideally I'd like to have it in the foreman-selinux git repo (as a separate module and package) but if we agree this is not the right place, I'd like to keep this tracking issue for future reference.
Updated by Lukas Zapletal over 10 years ago
- Related to Bug #7198: Socket read and write on RHEL7 added
Updated by Lukas Zapletal over 10 years ago
- Category set to Packaging
This rule is needed for foreman-tasks (#7198):
allow passenger_t httpd_t:unix_stream_socket {read write};
Updated by Lukas Zapletal over 10 years ago
- Related to Bug #7193: Katello does not install due to qpidd policy bug added
Updated by Lukas Zapletal over 10 years ago
This rule is required for RHEL 7.0 (without SELinux upcoming errata):
auth_read_passwd(qpidd_t)
https://github.com/theforeman/foreman-selinux/pull/29/files
Tracked as #7193
Updated by Lukas Zapletal over 10 years ago
This issue #7178
allow passenger_t self:process execmem;
has been merged upstream but I am going to revert it and until this is resolved in foreman-tasks I will put this as a temporary solution. We need to make sure therubyracer/v8 does not attempt to compile any assets during the boot.
Updated by Lukas Zapletal over 10 years ago
- Related to Bug #7178: Allow passenger_t to EXECMEM added
Updated by Lukas Zapletal over 10 years ago
Leaked file descriptor of EPEL6 puppet:
userdom_dontaudit_manage_user_tmp_files(load_policy_t)
Updated by Lukas Zapletal over 10 years ago
Just for the record this one:
time->Wed Aug 27 17:15:02 2014 type=SYSCALL msg=audit(1409152502.399:684): arch=c000003e syscall=49 success=no exit=-13 a0=d a1=7fc09c321ab0 a2=10 a3=0 items=0 ppid=1673 pid=1724 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1409152502.399:684): avc: denied { name_bind } for pid=1724 comm="ruby" src=22845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket # https://bugzilla.redhat.com/show_bug.cgi?id=1134503 corenet_udp_bind_all_unreserved_ports(passenger_t)
It's reported to be harmless, so we can dontaudit it for Satellite 6.0 and after policy breakup find out if this is master or foreman app.
WARNING: Need to use the macro!