Bug 1541481

Summary: [RFE] krb5 support for remote execution job invocations failing on selinux enabled machines.
Product: Red Hat Satellite Reporter: Bryan Kearney <bkearney>
Component: Remote ExecutionAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: high    
Version: 6.3.0CC: ahumbe, aperotti, aruzicka, bbuckingham, bkearney, dlobatog, ealcaniz, ehelms, fgarciad, inecas, jcallaha, lzap, mawerner, mmccune, molasaga, pcreech, pondrejk, riehecky, satellite6-bugs, sauchter, spetrosi, vanhoof, zhunting
Target Milestone: 6.7.0Keywords: FieldEngineering, FutureFeature, PrioBumpGSS, PrioBumpPM
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
If you have SELinux enabled, using Kerberos (KRB) keys instead of RSA keys can cause remote execution jobs to fail.
 Story Points: ---
Clone Of: 1386266 Environment:
Last Closed: 2020-04-14 13:22:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Mike McCune 2018-03-09 17:01:54 UTC 
Adam, is the MR requested here all that is needed for this bug? If so, it got merged some time ago and we can close this out.
Comment 2 Adam Ruzicka 2018-03-12 11:17:44 UTC 
No, the requested MR was to "make the options for it show up in the installer". This BZ is now about "when I use the options, installer fails on SELinux enabled machines".
Comment 5 Lukas Zapletal 2019-10-29 11:46:21 UTC 
Workaround A:

semanage permissive passenger_t

Workaround B:

echo -n "module passenger-execmem 1.0;\nallow passenger_t self:process execmem;\n" > passenger-execmem.pp
semodule -i passenger-execmem.pp

A patch will add this into Satellite 6.7 policy (https://bugzilla.redhat.com/show_bug.cgi?id=1541481 / https://projects.theforeman.org/issues/26951).
Comment 6 Bryan Kearney 2019-10-29 12:03:48 UTC 
Upstream bug assigned to lzap
Comment 7 Bryan Kearney 2019-10-29 12:03:50 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.
Comment 8 Peter Ondrejka 2020-02-04 13:51:12 UTC 
Verified on Satellite 6.7 snap 10, installation with --foreman-proxy-plugin-remote-execution-ssh-ssh-kerberos-auth on machine in enforcing SELinux mode succeeds as expected.

Also notified docs (via the feedback button) that the first step in
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.6/html/managing_hosts/chap-managing_hosts-running_remote_jobs_on_hosts#setting_up_kerberos_authentication_for_remote_execution
is no longer needed. (autogenerated bz https://bugzilla.redhat.com/show_bug.cgi?id=1798056)
Comment 11 errata-xmlrpc 2020-04-14 13:22:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454