Foreman on RHEL6 and Fedoras fully supports SELinux and this is installed and enabled by default, therefore SELinux in Enforcing mode is recommended. Our policy can be downloaded https://github.com/theforeman/foreman-selinux
How to report errors¶
Please open ordinary issues and set component to "SELinux". Also give us information about how to reproduce denials and also paste relevant denials in the comment:
grep AVC /var/log/audit/audit.log
Also note that we usually need output of this command:
Providing information via foreman-debug command also helps us with investigating because it contains full audit.log (compressed).
Available SELinux booleans¶
These are booleans which allows you to tune Foreman policy. They can be enabled with
semanage boolean --on boolean_name
or disabled with
semanage boolean --off boolean_name
On by default. Whether Foreman is running under Phusion Passenger or not.
On by default. Whether Puppet Master is running under Phusion Passenger or not.
Off by default. Foreman can be allowed to access any other port than those defined bellow using this boolean setting.
Foreman is allowed to connect to the following ports:
- httpd_port_t (80, 81, 443, 488, 8008, 8009, 8443, 9000)
- websm_port_t (9090)
- foreman_proxy_port_t (empty by default)
- postgresql_port_t (5432)
- virt_port_t (16509, 16514)
- ssh_port_t (22)
- vnc_port_t (5900-5999)
Changing Foreman Proxy port¶
Foreman Proxy is usually configured on port 8443 or 9090, but when needed, any port can be defined:
semanage port -a -t foreman_proxy_port_t -p tcp 9876
Tips for debugging¶
If you identify part of code you want to test separatey, you can run a script in passenger_t policy easily
runcon -u system_u -r system_r -t unconfined_t -- runcon -t passenger_t -- your_script.rb
To reinitialize selinux use
setenforce 1 && setenforce 0