Project

General

Profile

Bug #7729

Websockify not allowed to read certs

Added by Stephen Benjamin almost 4 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
Compute resources
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Katello uses certs in /etc/pki/katello for websockets, but access to these is denied by SELinux:

type=AVC msg=audit(1411858309.569:172): avc:  denied  { getattr } for  pid=24576 comm="websockify.py" path="/etc/pki/katello/private/katello-apache.key" dev=dm-0 ino=1838759 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1411858309.569:172): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffd3c6b3a0 a2=7fffd3c6b3a0 a3=18 items=0 ppid=24575 pid=24576 auid=0
type=AVC msg=audit(1411858309.570:173): avc: denied { read } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1411858309.570:173): avc: denied { open } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file

Associated revisions

Revision 01ba3e1e (diff)
Added by Stephen Benjamin almost 4 years ago

fixes #7729 - allow websockify to read certs

History

#1 Updated by Stephen Benjamin almost 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Stephen Benjamin
  • Target version set to 1.7.3
  • Pull request https://github.com/theforeman/foreman-selinux/pull/34 added
  • Pull request deleted ()

#2 Updated by Dominic Cleal almost 4 years ago

  • Category set to Compute resources
  • Legacy Backlogs Release (now unused) set to 22

#3 Updated by Anonymous almost 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF