Project

General

Profile

Actions

Tracker #7249

closed

Policy with workarounds for Foreman w/ Katello

Added by Lukas Zapletal over 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Category:
Packaging
Target version:
-
% Done:

0%

Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

There are several workarounds that needs to be solved to get Foreman with Katello working on RHEL6 and RHEL7. I want to create a separate policy that will carry those.

Ideally I'd like to have it in the foreman-selinux git repo (as a separate module and package) but if we agree this is not the right place, I'd like to keep this tracking issue for future reference.


Related issues 3 (0 open3 closed)

Related to SELinux - Bug #7198: Socket read and write on RHEL7ClosedLukas Zapletal08/21/2014Actions
Related to SELinux - Bug #7193: Katello does not install due to qpidd policy bugRejectedLukas Zapletal08/21/2014Actions
Related to SELinux - Bug #7178: Allow passenger_t to EXECMEMClosedLukas Zapletal08/20/2014Actions
Actions #1

Updated by Lukas Zapletal over 10 years ago

  • Related to Bug #7198: Socket read and write on RHEL7 added
Actions #2

Updated by Lukas Zapletal over 10 years ago

  • Category set to Packaging

This rule is needed for foreman-tasks (#7198):

allow passenger_t httpd_t:unix_stream_socket {read write};

https://github.com/theforeman/foreman-selinux/pull/30/files

Actions #3

Updated by Lukas Zapletal over 10 years ago

  • Related to Bug #7193: Katello does not install due to qpidd policy bug added
Actions #4

Updated by Lukas Zapletal over 10 years ago

This rule is required for RHEL 7.0 (without SELinux upcoming errata):

auth_read_passwd(qpidd_t)

https://github.com/theforeman/foreman-selinux/pull/29/files

Tracked as #7193

Actions #5

Updated by Lukas Zapletal over 10 years ago

This issue #7178

allow passenger_t self:process execmem;

has been merged upstream but I am going to revert it and until this is resolved in foreman-tasks I will put this as a temporary solution. We need to make sure therubyracer/v8 does not attempt to compile any assets during the boot.

Actions #6

Updated by Lukas Zapletal over 10 years ago

  • Related to Bug #7178: Allow passenger_t to EXECMEM added
Actions #7

Updated by Lukas Zapletal over 10 years ago

Leaked file descriptor of EPEL6 puppet:

userdom_dontaudit_manage_user_tmp_files(load_policy_t)

RHBZ https://bugzilla.redhat.com/show_bug.cgi?id=1131955

Actions #8

Updated by Lukas Zapletal over 10 years ago

Just for the record this one:

time->Wed Aug 27 17:15:02 2014
type=SYSCALL msg=audit(1409152502.399:684): arch=c000003e syscall=49 success=no exit=-13 a0=d a1=7fc09c321ab0 a2=10 a3=0 items=0 ppid=1673 pid=1724 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1409152502.399:684): avc:  denied  { name_bind } for  pid=1724 comm="ruby" src=22845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

# https://bugzilla.redhat.com/show_bug.cgi?id=1134503
corenet_udp_bind_all_unreserved_ports(passenger_t)

It's reported to be harmless, so we can dontaudit it for Satellite 6.0 and after policy breakup find out if this is master or foreman app.

WARNING: Need to use the macro!

Actions #9

Updated by Lukas Zapletal almost 10 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF