Project

General

Profile

Activity

From 05/14/2014 to 06/12/2014

06/12/2014

03:29 PM Bug #6192: Policy prevents from libvirt qemu+ssh connection
Warning for myself - I had semanage -DB enabled. Lukas Zapletal
01:47 PM Bug #6192 (Closed): Policy prevents from libvirt qemu+ssh connection
With SELinux turned on in Enforcing, one is not able to reach qemu+ssh libvirt instance.... Lukas Zapletal
02:39 PM Bug #6162: "WebSock error: [object Event]"
Reproduced with:... Lukas Zapletal
02:01 PM Bug #6162 (Assigned): "WebSock error: [object Event]"
I was able to identify the ssh_exec issue and reported it under http://projects.theforeman.org/issues/6192
Now, tu... Lukas Zapletal
11:47 AM Bug #6162: "WebSock error: [object Event]"
I already have the latest foreman-selinux installed and "setenforce 0" works and "setenforce 1" fails consistently wi... Jorick Astrego
11:30 AM Bug #6162: "WebSock error: [object Event]"
Hello,
thanks for testing. Can you install foreman-selinux from nightly repo (you can mix and match this package w... Lukas Zapletal
08:24 AM Bug #6162: "WebSock error: [object Event]"
Sorry didn't have my first coffee yet, it worked because I switched of SELinux .... duh!
When I do setenforce 0, t... Jorick Astrego
08:06 AM Bug #6162: "WebSock error: [object Event]"
I updated to 1.6 nightly to get around some other bugs and it works now. I'll revert back to 1.5 stable later in the ... Jorick Astrego
07:56 AM Bug #6162: "WebSock error: [object Event]"
Jorick, can you please tail -f the audit.log and then try to access the console. Paste me those lines which are added... Lukas Zapletal
07:54 AM Bug #6162: "WebSock error: [object Event]"
Hello,
I don't see any denials that have something to do with our VNC proxy. Can you do this for me:
ps aux... Lukas Zapletal

06/11/2014

12:28 PM Bug #6162: "WebSock error: [object Event]"
Forgot to add that I'm running version "foreman-1.5.0-1.el6.noarch" Jorick Astrego
12:25 PM Bug #6162 (Closed): "WebSock error: [object Event]"
After hooking up a libvirt server to foreman I'm unable to access the
VNC console. I already checked everything fro... Jorick Astrego

06/10/2014

09:54 PM Feature #5870: Write policy for foreman-tasks
As installer support's landing in 1.5.1 too. Dominic Cleal
10:08 AM Feature #5930 (Ready For Testing): Implement policy for Katello plugin
https://github.com/theforeman/foreman-selinux/pull/21
Note for myself: there are two downstream bugzillas for this... Lukas Zapletal

06/09/2014

07:36 AM Bug #6115: Denials with nightly
#============= logrotate_t ==============
files_manage_urandom_seed(logrotate_t)
#============= passenger_t =====... Lukas Zapletal
07:35 AM Bug #6115 (Rejected): Denials with nightly
Installed, then executed foreman-debug:... Lukas Zapletal

06/05/2014

01:58 PM Feature #4464: Implement SELinux policy for smart-proxy
OSP guys rely on this feature, boosting priority: https://bugzilla.redhat.com/show_bug.cgi?id=1105154 Lukas Zapletal
10:58 AM Feature #5930: Implement policy for Katello plugin
Combined two BZs into this ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1084013 Lukas Zapletal
10:26 AM Feature #5930: Implement policy for Katello plugin
Another set of denials:... Lukas Zapletal

06/02/2014

03:34 PM Bug #6014 (Closed): AVC denials from Puppet under Passenger on Foreman 1.6 on EL7
foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch
mod_passenger-4.0.18-9.5.el7.x86_64
puppet-3.6.0-... Dominic Cleal
03:28 PM Bug #6013 (Closed): AVC denials from Passenger on Foreman 1.6 on EL7
foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch
redhat-release-server-7.0-0.5.el7.x86_64
selinux-... Dominic Cleal

05/30/2014

01:13 PM Revision 8ad6a631: refs #5987 - remove unused packaging files
Dominic Cleal
10:47 AM Bug #5827 (Closed): katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
Applied in changeset commit:b13ec514c1616dcea4ba90f3c6794827d9957db5. Anonymous
10:47 AM Bug #5910 (Closed): Puppet or puppetmaster sometimes changes file contexts
Applied in changeset commit:a39d8de2e0ab1f042acb21e446773d7d8496d25e. Anonymous
10:47 AM Bug #5808 (Closed): AVC denied { read } for comm="ruby" name="migrate" dev=dm-0 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file
Applied in changeset commit:fcc3110b4a1d7eb70f17cd6d61bcbc329c0ebb70. Anonymous
10:47 AM Feature #5870 (Closed): Write policy for foreman-tasks
Applied in changeset commit:9554703f49b74891f36146bd430069d0e3c12bbe. Anonymous
09:42 AM Revision b13ec514: Fixes #5827 - Allowed port 9090 and new foreman_proxy_port_t introduced
Lukas Zapletal
09:37 AM Revision a39d8de2: Fixes #5910 - Puppetmaster allowed to set file contexts
Lukas Zapletal
09:37 AM Revision fcc3110b: Fixes #5808 - Allowed rails to read symlinks
Lukas Zapletal
09:37 AM Revision 9554703f: Fixes #5870 - Foreman-tasks selinux policy added
Lukas Zapletal

05/29/2014

01:02 PM Bug #5981: Passenger opens up udp port
And another run:
type=AVC msg=audit(1401367752.666:1209): avc: denied { name_bind } for pid=16698 comm="rub... Lukas Zapletal
12:24 PM Bug #5981 (Closed): Passenger opens up udp port
Staypuft installer:... Lukas Zapletal
10:10 AM Revision daeb2439: refs #5793 - add pkg:generate_source rake task to create tar.bz2
Dominic Cleal

05/27/2014

10:27 AM Feature #5930: Implement policy for Katello plugin
I agree, if we find this annoying, I will work on splitting all the policies. But I hope for 5 lines for Katello, the... Lukas Zapletal
08:53 AM Feature #5930: Implement policy for Katello plugin
Ok, see what it involves, but my concern is if changes are needed regularly in a core Foreman project to support a pl... Dominic Cleal
08:52 AM Feature #5930: Implement policy for Katello plugin
Why? Katello is a plugin, like others. There is no big benefit in splitting those.
Also, I don't expect katello po... Lukas Zapletal
08:24 AM Feature #5930: Implement policy for Katello plugin
This should be a layered policy (katello-selinux), not in foreman-selinux. Dominic Cleal

05/26/2014

02:39 PM Feature #5930 (Closed): Implement policy for Katello plugin
Some rules can be taken from katello-selinux package. Lukas Zapletal
01:42 PM Bug #5827 (Ready For Testing): katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
https://github.com/theforeman/foreman-selinux/pull/18 Lukas Zapletal
01:38 PM Bug #5827: katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
That sounds like a decent plan, but unfortunately port 9090 is already taken by websm service (no clue what this is).... Lukas Zapletal
11:26 AM Bug #5910 (Ready For Testing): Puppet or puppetmaster sometimes changes file contexts
Solved with great help of Mirek Grepl, thanks.
https://github.com/theforeman/foreman-selinux/pull/18 Lukas Zapletal
09:34 AM Bug #5808 (Ready For Testing): AVC denied { read } for comm="ruby" name="migrate" dev=dm-0 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file
Rails reads all files in scripts/ subdirectory and since migrate is symlink and symlinks were not allowed by our rule... Lukas Zapletal

05/23/2014

01:14 PM Bug #5910: Puppet or puppetmaster sometimes changes file contexts
... Lukas Zapletal
01:11 PM Bug #5910 (Closed): Puppet or puppetmaster sometimes changes file contexts
which is prevented by SELinux. This has something to do with selinux users and RHEL6. Discussion is here:... Lukas Zapletal
11:37 AM Bug #5827 (Assigned): katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
Lukas Zapletal
11:12 AM Feature #5870 (Ready For Testing): Write policy for foreman-tasks
https://github.com/theforeman/foreman-selinux/pull/18 (not yet merged)
 Lukas Zapletal
08:46 AM Bug #5882 (Rejected): Allow foreman to reach dynflow
We need tasks policy really, testing that. Lukas Zapletal

05/22/2014

04:11 PM Bug #5882: Allow foreman to reach dynflow
... Lukas Zapletal
04:04 PM Bug #5882 (Ready For Testing): Allow foreman to reach dynflow
https://github.com/theforeman/foreman-selinux/pull/17 Lukas Zapletal
03:47 PM Bug #5882 (Rejected): Allow foreman to reach dynflow
Hotfix for https://bugzilla.redhat.com/show_bug.cgi?id=1098244 Lukas Zapletal
12:12 PM Refactor #5877: Introduce foreman_t domain
Also there is one block "passenger_run_puppetmaster" which we can refactor/get rid of only after we migrate foreman i... Lukas Zapletal
12:06 PM Refactor #5877 (Closed): Introduce foreman_t domain
Since Passenger 4.0 which allows us to change context of running apps is now both upstream and downstream, we should ... Lukas Zapletal
11:00 AM Feature #5870 (Closed): Write policy for foreman-tasks
Blocker for Staypuft. Working on it from the very morning.
https://bugzilla.redhat.com/show_bug.cgi?id=1098244 Lukas Zapletal

05/20/2014

03:22 PM Bug #5827: katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
The issue looks to be that katello-installer has moved the smart proxy port from 8443 to 9090, so the default policy ... Dominic Cleal
03:20 PM Bug #5827 (Closed): katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1078265
Description of problem:
katello-installer generat... Dominic Cleal
08:29 AM Bug #5808 (Closed): AVC denied { read } for comm="ruby" name="migrate" dev=dm-0 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file
With fresh install of Foreman develop on RHEL 6.5 using
https://github.com/sstephenson/bats.git
https://github.... Jan Pazdziora
 

Also available in: Atom