Foreman » SELinux

09/30/2014

10:05 AM Bug #7388 (Closed): Policy module isn't reloaded when upgrading RPM

Dominic Cleal

06:54 AM Revision 2f345dec: refs #7388 - make foreman-selinux-enable upgrade-safe

Dominic Cleal

09/29/2014

01:20 PM Bug #7524: Adding libvirt compute resource ersults in error

Would you mind sharing the denial you get after you executed the above command and set Enforcing again?
I doubt co... Lukas Zapletal

10:26 AM Bug #7524: Adding libvirt compute resource ersults in error

Hey,
no this does not fix the issue ! Maybe the "user_home_dir_t" flag of the parent directory is missing ? Dirk Mayer

11:02 AM Bug #7729 (Closed): Websockify not allowed to read certs

Applied in changeset commit:01ba3e1e9d7b8fdd8d19514f616c04847f4f4d10. Anonymous

04:53 AM Bug #7729 (Ready For Testing): Websockify not allowed to read certs

Stephen Benjamin

04:49 AM Bug #7729 (Closed): Websockify not allowed to read certs

Katello uses certs in /etc/pki/katello for websockets, but access to these is denied by SELinux:
type=AVC msg=... Stephen Benjamin

10:24 AM Bug #7727 (Rejected): Ssh finish script does not work under Enforcing

Ok it really looks like this is issue when connecting to console. Need to dig later on. Lukas Zapletal

04:47 AM Bug #7727 (Rejected): Ssh finish script does not work under Enforcing

As reported here:... Lukas Zapletal

06:22 AM Bug #7719: Selinux prevents console from starting/connecting

Lukas Zapletal wrote:
> Thanks, Andreas. Now, can you describe what actually does not work? The issue is named "Seli... Andreas Pfaffeneder

06:11 AM Bug #7719: Selinux prevents console from starting/connecting

Added foreman-debug-outfile. Andreas Pfaffeneder

05:11 AM Bug #7719: Selinux prevents console from starting/connecting

Thanks, Andreas. Now, can you describe what actually does not work? The issue is named "Selinux prevents console from... Lukas Zapletal

05:00 AM Bug #7719: Selinux prevents console from starting/connecting

type=AVC msg=audit(1411981245.749:98): avc: denied { getattr } for pid=2169 comm="ruby" path="/usr/bin/ssh" dev=dm... Andreas Pfaffeneder

04:52 AM Bug #7719 (Ready For Testing): Selinux prevents console from starting/connecting

The Foreman Bot

04:51 AM Bug #7719: Selinux prevents console from starting/connecting

I created #7729 for the websockets Katello issue Stephen Benjamin

04:45 AM Bug #7719: Selinux prevents console from starting/connecting

Trusting the /etc/pki/katello/certs/katello-default-ca.crt in my browser (FF32.0.3/Windows 7) did not change the beha... Andreas Pfaffeneder

04:45 AM Bug #7719: Selinux prevents console from starting/connecting

Andreas, can you paste us the denials when you run in Enforcing and the console does not work? The output above does ... Lukas Zapletal

04:42 AM Bug #7719: Selinux prevents console from starting/connecting

This looks really like issue for the ssh finish script, because websockify runs in its own domain.
I think we need... Lukas Zapletal

04:41 AM Bug #7719: Selinux prevents console from starting/connecting

Have you trusted the Katello CA certificate in your browser? That should fix the encrypted web sockets.
If you're ... Stephen Benjamin

03:51 AM Bug #7719 (New): Selinux prevents console from starting/connecting

Dominic Cleal

04:59 AM Revision 01ba3e1e: fixes #7729 - allow websockify to read certs

Stephen Benjamin

09/28/2014

02:30 PM Bug #7719: Selinux prevents console from starting/connecting

I modified the /usr/share/doc/foreman-selinux-1.6.0/foreman.te and added the line in the pull at 283:
apache_searc... Andreas Pfaffeneder

09/27/2014

07:16 PM Bug #7719 (Ready For Testing): Selinux prevents console from starting/connecting

The Foreman Bot

06:56 PM Bug #7719: Selinux prevents console from starting/connecting

Is there any more in the audit log? That looks like passenger is using ssh there (maybe for a finish script?) I'm not... Stephen Benjamin

08:11 AM Bug #7719 (Closed): Selinux prevents console from starting/connecting

When setting selinux to enforcing, the console via websocket does not work any more.
Putting selinux into permissi... Andreas Pfaffeneder

09/26/2014

01:01 PM Bug #7346 (Closed): Foreman can't connect to OpenStack port 5000

Applied in changeset commit:24a501be208460fdfd3bc59d47a4fd2b631df622. Anonymous

12:50 PM Revision 24a501be: Fixes #7346 - Added OpenStack port 5000 via boolean

Lukas Zapletal

11:35 AM Bug #7388: Policy module isn't reloaded when upgrading RPM

https://github.com/theforeman/foreman-packaging/pull/355
https://github.com/theforeman/foreman-selinux/pull/33 Dominic Cleal

11:31 AM Bug #7388 (Ready For Testing): Policy module isn't reloaded when upgrading RPM

The Foreman Bot

08:18 AM Bug #7388 (Assigned): Policy module isn't reloaded when upgrading RPM

Dominic Cleal

08:20 AM Revision e86bf009: Refs #7178 - removed passenger_t execmem rule

This reverts commit d867377e56451fc43030a30958499d34e6f4e485. Lukas Zapletal

09/25/2014

12:06 PM Bug #7524: Adding libvirt compute resource ersults in error

Hey,
can you confirm this fixes the issue:
chcon -R system_u:object_r:ssh_home_t:s0 /usr/share/foreman/.ssh Lukas Zapletal

09/23/2014

08:54 AM Bug #7524 (New): Adding libvirt compute resource ersults in error

Dominic Cleal

08:49 AM Bug #7524: Adding libvirt compute resource ersults in error

I I found out that selinux is part of the issue. if i disable selinux with "setenforce 0" on he foreman server, it is... Dirk Mayer

09/18/2014

08:12 AM Bug #7524: Adding libvirt compute resource ersults in error

hello,
here is the requested output of the path variable:
Foreman instance:
[root@cosdpl1 ~]# echo $PATH
/usr/l... Dirk Mayer

07:56 AM Bug #7524: Adding libvirt compute resource ersults in error

Right I see it.
Check $PATH? Lukas Zapletal

07:55 AM Bug #7524 (Need more information): Adding libvirt compute resource ersults in error

Hello,
can you check if your Foreman instance has ssh client installed and Foreman user can execute it?
Also, t... Lukas Zapletal

07:27 AM Bug #7524: Adding libvirt compute resource ersults in error

Operating systems used:
Foreman: RHEL 7
KVM Hypervisor: RHEL 7 Dirk Mayer

07:24 AM Bug #7524 (Duplicate): Adding libvirt compute resource ersults in error

Adding a new compute libvirt resource results in an error if testing the connection to the hypervisor:
Warning!
E... Dirk Mayer

09/09/2014

12:13 PM Bug #7388 (Closed): Policy module isn't reloaded when upgrading RPM

The RPM postinstall scriptlet doesn't appear to reload the new module into the SELinux policy when the package is upg... Dominic Cleal

12:01 PM Bug #7198 (Closed): Socket read and write on RHEL7

Applied in changeset commit:0a4d60fa15ba718948f2cb823c826617b69d25fa. Anonymous

11:43 AM Revision 0a4d60fa: Fixes #7198 - allowed httpd_t to read/write to passenger socket

Lukas Zapletal

09/04/2014

03:22 AM Bug #7346 (Ready For Testing): Foreman can't connect to OpenStack port 5000

The Foreman Bot

03:12 AM Bug #7346 (Closed): Foreman can't connect to OpenStack port 5000

... Lukas Zapletal