Bug 1100582

Summary: Default provisioning template has SELinux set to permissive
Product: Red Hat Satellite Reporter: Dominic Cleal <dcleal>
Component: ProvisioningAssignee: Partha Aji <paji>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: NightlyCC: bbuckingham, bkearney, cwelton, jhutar, jmontleo, mmccune, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/6246
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Users will need to enable selinux in the templates to ensure the most secure installations.
 Story Points: ---
Clone Of: 1100367 Environment:
Last Closed: 2014-09-11 12:22:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1100367    
Bug Blocks:    

Description Dominic Cleal 2014-05-23 07:04:27 UTC 
Cloned specifically for the Katello component.  The SELinux setting in the default Katello Kickstart file is set to permissive, but should be enforcing.

May be blocked on bug #1100367 which will update the services in Foreman's kickstart so iptables etc are enabled after provisioning.


+++ This bug was initially created as a clone of Bug #1100367 +++

Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140521.0


How reproducible:
always


Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
     Kickstart default
     Kickstart RHEL default
     Katello Kickstart Default for RHEL


Actual results:
Not all issues are found in all templates, but what I consider most important:
 * system is not registered automatically
 * SELinux in permissive
 * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped
 * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed


Expected results:
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)
Comment 1 Dominic Cleal 2014-05-23 07:06:48 UTC 
The fourth point about yum-rhn-plugin will have to be done in Katello if you wish to fix it, it won't be removed from Foreman's default kickstart as it's still in use.
Comment 3 Dominic Cleal 2014-05-23 08:17:18 UTC 
http://projects.theforeman.org/issues/5899 can probably be linked.
Comment 5 Partha Aji 2014-06-16 22:16:51 UTC 
Created redmine issue http://projects.theforeman.org/issues/6246 from this bug
Comment 6 Bryan Kearney 2014-06-19 22:03:07 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/6246 has been closed
Comment 8 Og Maciel 2014-08-15 18:13:33 UTC 
VERIFIED that template Satellite Kickstart Default uses selinux --enforcing as well as all provisioned hosts also displayed that selinux was enforcing.

Browser:
--------
* Firefox 31.0 Mac OS

Build:
------
* Satellite-6.0.4-RHEL-6-20140813.2

Packages:
---------
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-4.el7sat.noarch
* foreman-1.6.0.40-1.el7sat.noarch
* foreman-compute-1.6.0.40-1.el7sat.noarch
* foreman-gce-1.6.0.40-1.el7sat.noarch
* foreman-libvirt-1.6.0.40-1.el7sat.noarch
* foreman-ovirt-1.6.0.40-1.el7sat.noarch
* foreman-postgresql-1.6.0.40-1.el7sat.noarch
* foreman-proxy-1.6.0.27-1.el7sat.noarch
* foreman-selinux-1.6.0.6-1.el7sat.noarch
* foreman-vmware-1.6.0.40-1.el7sat.noarch
* katello-1.5.0-28.el7sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-installer-0.0.59-1.el7sat.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-3.el7sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el7sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el7sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el7sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el7sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el7sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
* pulp-server-2.4.0-0.30.beta.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-11.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-15.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-12.el7sat.noarch
Comment 9 Bryan Kearney 2014-09-11 12:22:56 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.