Bug 1770999
Summary: | SELinux denials when connecting to cockpit using REX | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Adam Ruzicka <aruzicka> |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.7.0 | CC: | cmarinea, egolov, lzap |
Target Milestone: | 6.7.0 | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | foreman-selinux-1.24.0-0.3.RC3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-14 13:26:24 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Ruzicka
2019-11-11 16:40:59 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved. VERIFIED.
@Satellite 6.7.0 Snap4
foreman-selinux-1.24.0-0.3.RC3.el7sat.noarch
1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit
2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t tcp 19090, 9090
3) Access host's cockpit using the button in host's details
Hosts > All Hosts > (chosen host) > [Web Console]
4) Check audit.log for denials with scontext cockpit_ws_t
REPRO:
type=AVC msg=audit(1575033395.422:18473): avc: denied { execute } for pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
vs.
FIX:
<empty>
>>> there are no SELinux denials however "Authentication failed for user root.com" message is displayed
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |