Bug 1868005

Summary: Selinux blocks websockify, vnc console is blocked
Product: Red Hat Satellite Reporter: Jan Jansky <jjansky>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.7.0CC: ktordeur, lzap
Target Milestone: 6.9.0Keywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1933164 (view as bug list) Environment:
Last Closed: 2021-04-21 13:17:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Jansky 2020-08-11 11:49:40 UTC 
Description of problem:
On default installation when attempt to open vnc console to any compute resource selinux will block websockify.py to open python2.7 which will prevent to open actual vnc console


Version-Release number of selected component (if applicable):
at least since Satellite 6.5, not tested on EOL versions.

foreman-selinux-1.24.1-1.el7sat.noarch

How reproducible: 
Always.

Steps to Reproduce:
1. Create compute resource
2. List hosts
3. Select host
4. Console

Actual results:
/var/log/audit:
type=AVC msg=audit(1597137980.568:2781): avc:  denied  { execute } for  pid=18884 comm="websockify.py" path="/usr/bin/python2.7" dev="dm-0" ino=402654774 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Expected results:
# ps -Af | grep websockify
foreman   6966     1  0 11:50 ?        00:00:00 /usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon --idle-timeout=120 --timeout=120 5914 hypervisor.example.com:port --cert /etc/pki/katello/certs/katello-apache.crt --key /etc/pki/katello/private/katello-apache.key

Do not have available Sat 6.8, so did not tested there.
Comment 6 Lukas Zapletal 2020-08-18 08:57:53 UTC 
Oh this does not mean it cannot execute python, it actually means "python cannot list /usr/bin folder (execute)". This will fix this:

require {
	type websockify_t;
}

#============= websockify_t ==============
corecmd_exec_ls(websockify_t)
Comment 7 Bryan Kearney 2020-08-31 16:05:39 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30657 has been resolved.
Comment 8 Brad Buckingham 2021-01-08 21:34:01 UTC 
The fix for this bugzilla is currently in early Satellite 6.9 SNAP; therefore, aligning to release and moving state.
Comment 9 Lukas Pramuk 2021-03-16 23:59:18 UTC 
VERIFIED.

@Satellite 6.9.0 Snap16
foreman-selinux-2.3.1-1.el7sat.noarch

by the reproducer described in comment#0

1) Select any provisioned host

2) Click [Console] button

>>> console window shown

3) Check for selinux denials

# grep websockify /var/log/audit/audit.log
<empty>

>>> no selinux denials
Comment 12 errata-xmlrpc 2021-04-21 13:17:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313