Actions
Bug #7729
closedWebsockify not allowed to read certs
Description
Katello uses certs in /etc/pki/katello for websockets, but access to these is denied by SELinux:
type=AVC msg=audit(1411858309.569:172): avc: denied { getattr } for pid=24576 comm="websockify.py" path="/etc/pki/katello/private/katello-apache.key" dev=dm-0 ino=1838759 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=file
type=SYSCALL msg=audit(1411858309.569:172): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffd3c6b3a0 a2=7fffd3c6b3a0 a3=18 items=0 ppid=24575 pid=24576 auid=0
type=AVC msg=audit(1411858309.570:173): avc: denied { read } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
type=AVC msg=audit(1411858309.570:173): avc: denied { open } for pid=24576 comm="websockify.py" name="katello-apache.crt" dev=dm-0 ino=1973954 scontext=unconfined_u:system_r:websockify_t:s0 tcontext=unconfined_u:object_r:cert_t:s0 tclass=file
Updated by Stephen Benjamin over 10 years ago
- Status changed from New to Ready For Testing
- Assignee set to Stephen Benjamin
- Target version set to 1.7.3
- Pull request https://github.com/theforeman/foreman-selinux/pull/34 added
- Pull request deleted (
)
Updated by Dominic Cleal over 10 years ago
- Category set to Compute resources
- Translation missing: en.field_release set to 22
Updated by Anonymous over 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 01ba3e1e9d7b8fdd8d19514f616c04847f4f4d10.
Actions