Bug 1089496

Summary: Cockpit example should not disable or put selinux into permissive mode.
Product: [Retired] Atomic Reporter: Eric Rich <erich>
Component: kernelAssignee: Colin Walters <walters>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: stefw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cockpit-0.8-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-18 17:59:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Rich 2014-04-19 20:15:21 UTC
Description of problem:

http://www.projectatomic.io/download/ << Dan Walsh is Crying (http://stopdisablingselinux.com/)

One of the first things we show people how to do is Disable some of the Major Security Benefits that Atomic offers. 

Version-Release number of selected component (if applicable):  20140414.1.qcow2 image. 

How reproducible: Very

Steps to Reproduce:
Try the New UI for Your Server
Administer the services on your system with Cockpit

# setenforce 0            << SKIP THIS STEP
# systemctl enable cockpit.socket
# visit http://<ipaddress>:21064 in a browser
Cockpit is perfect for new sysadmins, allowing them to easily perform simple tasks such as storage administration, inspecting journals and starting and stopping services.

Actual results:

Visiting the site shows a blank page. 

/var/log/audit/audit.log reports the following:

type=USER_AVC msg=audit(1397938105.566:60): pid=432 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.9 spid=691 tpid=664 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Expected results:

Cockpit should start up with out selinx issues.

Comment 1 Stef Walter 2014-05-25 17:53:40 UTC
Cockpit works in SELinux mode now.

In addition, we're running our integration tests with SELinux enforcing. The idea is that we can catch SELinux issues during development.

Comment 2 Stef Walter 2015-06-18 17:59:47 UTC
This is done. Fixed.