Bug 1489762
Summary: | [RFE] Provide certification for satellite compliance with common security standards. | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Matthew York <myork> |
Component: | Security | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED WONTFIX | QA Contact: | Mirek Długosz <mzalewsk> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.2.11 | CC: | akapse, bkearney, bmidwood, byount, degts, janarula, knapp, ktordeur, lzap, mhaicman, mhulan, patalber, phess, pmoravec, satellite6-bugs, smane, sraut, tbrisker, trevor.zintel, vijsingh |
Target Milestone: | Unspecified | Keywords: | FutureFeature |
Target Release: | Unused | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-22 17:55:52 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matthew York
2017-09-08 10:16:06 UTC
This is biting us at the moment. Does anyone know which particular STIG is actually causing this failure? We have ability to apply for exceptions to particular STIGs, but need to know which one to disable or change in order to do so. So I don't see this as an all or nothing issue. For this particular issue it appears to be an SELinux denial. Because one of the STIG requirements is `SELINUX=enforcing`, while `satellite-installer` is running, it appears several files get created for `qpidd` which don't have the correct context. ``` # ausearch -m avc -c qpidd type=PROCTITLE msg=audit(1535719817.865:2658): proctitle=2F7573722F7362696E2F7170696464002D2D636F6E666967002F6574632F717069642F71706964642E636F6E66 type=SYSCALL msg=audit(1535719817.865:2658): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3a4deba0 a1=7ffc3a4deb10 a2=7ffc3a4deb10 a3=2 items=0 ppid=1 pid=2821 auid=4294967295 uid=996 gid=994 euid=996 suid=996 fsuid=996 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="qpidd" exe="/usr/sbin/qpidd" subj=system_u:system_r:qpidd_t:s0 key=(null) type=AVC msg=audit(1535719817.865:2658): avc: denied { getattr } for pid=2821 comm="qpidd" path="/var/lib/qpidd/.qpidd/qls/dat2/__db.001" dev="dm-5" ino=16954472 scontext=system_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file ``` Notice `/var/lib/qpidd/.qpidd/qls/dat2/__db.001` has `unlabled_t` A simple `restorecon` fixes it ``` # restorecon -R /var/lib/qpidd ``` Red Hat Satellite version 6.4 # foreman_scap_client 1 File /var/lib/openscap/content/5dfe17df3f6578650ef24813ec433c96e68513235768ee9055466bd97a84bcec.xml is missing. Downloading it from proxy. Download SCAP content xml from: https://satellite.example.com:9090/compliance/policies/1/content/5dfe17df3f6578650ef24813ec433c96e68513235768ee9055466bd97a84bcec SCAP content is missing and download failed with error: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert unknown ca Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you. Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact Red Hat Technical Support. Thank you. |