Project

General

Profile

Actions

Bug #7729

closed

Websockify not allowed to read certs

Added by Stephen Benjamin over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Compute resources
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Katello uses certs in /etc/pki/katello for websockets, but access to these is denied by SELinux:

type=AVC msg=audit(1411858309.569:172): avc:  denied  { getattr } for  pid=24576 comm="websockify.py" path="/etc/pki/katello/private/katello-apache.key" dev=dm-0 ino=1838759 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1411858309.569:172): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffd3c6b3a0 a2=7fffd3c6b3a0 a3=18 items=0 ppid=24575 pid=24576 auid=0
type=AVC msg=audit(1411858309.570:173): avc: denied { read } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1411858309.570:173): avc: denied { open } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
Actions #1

Updated by Stephen Benjamin over 9 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Stephen Benjamin
  • Target version set to 1.7.3
  • Pull request https://github.com/theforeman/foreman-selinux/pull/34 added
  • Pull request deleted ()
Actions #2

Updated by Dominic Cleal over 9 years ago

  • Category set to Compute resources
  • translation missing: en.field_release set to 22
Actions #3

Updated by Anonymous over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF