Bug 1770999
| Summary: | SELinux denials when connecting to cockpit using REX | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Adam Ruzicka <aruzicka> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.7.0 | CC: | cmarinea, egolov, lzap |
| Target Milestone: | 6.7.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-selinux-1.24.0-0.3.RC3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-14 13:26:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved. VERIFIED.
@Satellite 6.7.0 Snap4
foreman-selinux-1.24.0-0.3.RC3.el7sat.noarch
1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit
2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t tcp 19090, 9090
3) Access host's cockpit using the button in host's details
Hosts > All Hosts > (chosen host) > [Web Console]
4) Check audit.log for denials with scontext cockpit_ws_t
REPRO:
type=AVC msg=audit(1575033395.422:18473): avc: denied { execute } for pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
vs.
FIX:
<empty>
>>> there are no SELinux denials however "Authentication failed for user root.com" message is displayed
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |
Description of problem: Accessing remote host's cockpit through REX fails because of selinux. Relevant part of audit.log: type=PROCTITLE msg=audit(11/08/2019 15:39:58.491:137) : proctitle=/usr/libexec/cockpit-ws --no-tls --address 127.0.0.1 --port 19090 type=SYSCALL msg=audit(11/08/2019 15:39:58.491:137) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bbcb1cd5d0 a1=0x7ffd922d5640 a2=0x55bbcb1e1a30 a3=0x7ffd922d4d60 items=0 ppid=759 pid=8965 auid=unset uid=foreman gid=foreman euid=foreman suid=foreman fsuid=foreman egid=foreman sgid=foreman fsgid=foreman tty=(none) ses=unset comm=cockpit-ws exe=/usr/libexec/cockpit-ws subj=system_u:system_r:cockpit_ws_t:s0 key=(null) type=AVC msg=audit(11/08/2019 15:39:58.491:137) : avc: denied { execute } for pid=8965 comm=cockpit-ws name=foreman-cockpit-session dev="vda1" ino=2231612 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file How reproducible: Always Steps to Reproduce: 1. Have SELinux enabled 2. Watch audit.log 3. Try to access host's cockpit using the button in host's details Actual results: Denial mentioned above seen in the logs, cockpit not working. Expected results: No denials, cockpit working.