Bug 1770999

Summary: SELinux denials when connecting to cockpit using REX
Product: Red Hat Satellite Reporter: Adam Ruzicka <aruzicka>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: high Docs Contact:
Priority: high    
Version: 6.7.0CC: cmarinea, egolov, lzap
Target Milestone: 6.7.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: foreman-selinux-1.24.0-0.3.RC3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 13:26:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Adam Ruzicka 2019-11-11 16:40:59 UTC
Description of problem:
Accessing remote host's cockpit through REX fails because of selinux.

Relevant part of audit.log:

type=PROCTITLE msg=audit(11/08/2019 15:39:58.491:137) : proctitle=/usr/libexec/cockpit-ws --no-tls --address --port 19090 
type=SYSCALL msg=audit(11/08/2019 15:39:58.491:137) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bbcb1cd5d0 a1=0x7ffd922d5640 a2=0x55bbcb1e1a30 a3=0x7ffd922d4d60 items=0 ppid=759 pid=8965 auid=unset uid=foreman gid=foreman euid=foreman suid=foreman fsuid=foreman egid=foreman sgid=foreman fsgid=foreman tty=(none) ses=unset comm=cockpit-ws exe=/usr/libexec/cockpit-ws subj=system_u:system_r:cockpit_ws_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 15:39:58.491:137) : avc:  denied  { execute } for  pid=8965 comm=cockpit-ws name=foreman-cockpit-session dev="vda1" ino=2231612 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file

How reproducible:

Steps to Reproduce:
1. Have SELinux enabled
2. Watch audit.log
3. Try to access host's cockpit using the button in host's details

Actual results:
Denial mentioned above seen in the logs, cockpit not working.

Expected results:
No denials, cockpit working.

Comment 5 Bryan Kearney 2019-11-19 15:00:40 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved.

Comment 6 Lukas Pramuk 2019-11-29 14:46:35 UTC

@Satellite 6.7.0 Snap4

1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit

2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t                   tcp      19090, 9090

3) Access host's cockpit using the button in host's details

Hosts > All Hosts > (chosen host) > [Web Console] 

4) Check audit.log for denials with scontext cockpit_ws_t 

type=AVC msg=audit(1575033395.422:18473): avc:  denied  { execute } for  pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0



>>> there are no SELinux denials however "Authentication failed for user root.com" message is displayed

Comment 9 Lukas Zapletal 2019-12-03 07:11:58 UTC
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed.

Comment 12 errata-xmlrpc 2020-04-14 13:26:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.