Tracker #7249
closed
Policy with workarounds for Foreman w/ Katello
Added by Lukas Zapletal over 10 years ago.
Updated almost 10 years ago.
Description
There are several workarounds that needs to be solved to get Foreman with Katello working on RHEL6 and RHEL7. I want to create a separate policy that will carry those.
Ideally I'd like to have it in the foreman-selinux git repo (as a separate module and package) but if we agree this is not the right place, I'd like to keep this tracking issue for future reference.
- Related to Bug #7198: Socket read and write on RHEL7 added
- Category set to Packaging
- Related to Bug #7193: Katello does not install due to qpidd policy bug added
This issue #7178
allow passenger_t self:process execmem;
has been merged upstream but I am going to revert it and until this is resolved in foreman-tasks I will put this as a temporary solution. We need to make sure therubyracer/v8 does not attempt to compile any assets during the boot.
- Related to Bug #7178: Allow passenger_t to EXECMEM added
Just for the record this one:
time->Wed Aug 27 17:15:02 2014
type=SYSCALL msg=audit(1409152502.399:684): arch=c000003e syscall=49 success=no exit=-13 a0=d a1=7fc09c321ab0 a2=10 a3=0 items=0 ppid=1673 pid=1724 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1409152502.399:684): avc: denied { name_bind } for pid=1724 comm="ruby" src=22845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
# https://bugzilla.redhat.com/show_bug.cgi?id=1134503
corenet_udp_bind_all_unreserved_ports(passenger_t)
It's reported to be harmless, so we can dontaudit it for Satellite 6.0 and after policy breakup find out if this is master or foreman app.
WARNING: Need to use the macro!
- Status changed from New to Closed
Also available in: Atom
PDF