Bug 1100582 - Default provisioning template has SELinux set to permissive
Summary: Default provisioning template has SELinux set to permissive
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning
Version: Nightly
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Partha Aji
QA Contact: Og Maciel
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On: 1100367
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-23 07:04 UTC by Dominic Cleal
Modified: 2016-04-22 15:53 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
Users will need to enable selinux in the templates to ensure the most secure installations.
Clone Of: 1100367
Environment:
Last Closed: 2014-09-11 12:22:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 6246 0 None None None 2016-04-22 15:53:42 UTC

Description Dominic Cleal 2014-05-23 07:04:27 UTC
Cloned specifically for the Katello component.  The SELinux setting in the default Katello Kickstart file is set to permissive, but should be enforcing.

May be blocked on bug #1100367 which will update the services in Foreman's kickstart so iptables etc are enabled after provisioning.


+++ This bug was initially created as a clone of Bug #1100367 +++

Description of problem:
Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; )


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140521.0


How reproducible:
always


Steps to Reproduce:
1. Provision guest with these provisioning templates (or just inspect them):
     Kickstart default
     Kickstart RHEL default
     Katello Kickstart Default for RHEL


Actual results:
Not all issues are found in all templates, but what I consider most important:
 * system is not registered automatically
 * SELinux in permissive
 * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped
 * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed


Expected results:
After installation, system should be registered by default.
SELinux should be in enforcing
At least ip*tables services should be running with sane configuration
Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)

Comment 1 Dominic Cleal 2014-05-23 07:06:48 UTC
The fourth point about yum-rhn-plugin will have to be done in Katello if you wish to fix it, it won't be removed from Foreman's default kickstart as it's still in use.

Comment 3 Dominic Cleal 2014-05-23 08:17:18 UTC
http://projects.theforeman.org/issues/5899 can probably be linked.

Comment 5 Partha Aji 2014-06-16 22:16:51 UTC
Created redmine issue http://projects.theforeman.org/issues/6246 from this bug

Comment 6 Bryan Kearney 2014-06-19 22:03:07 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/6246 has been closed

Comment 8 Og Maciel 2014-08-15 18:13:33 UTC
VERIFIED that template Satellite Kickstart Default uses selinux --enforcing as well as all provisioned hosts also displayed that selinux was enforcing.

Browser:
--------
* Firefox 31.0 Mac OS

Build:
------
* Satellite-6.0.4-RHEL-6-20140813.2

Packages:
---------
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-4.el7sat.noarch
* foreman-1.6.0.40-1.el7sat.noarch
* foreman-compute-1.6.0.40-1.el7sat.noarch
* foreman-gce-1.6.0.40-1.el7sat.noarch
* foreman-libvirt-1.6.0.40-1.el7sat.noarch
* foreman-ovirt-1.6.0.40-1.el7sat.noarch
* foreman-postgresql-1.6.0.40-1.el7sat.noarch
* foreman-proxy-1.6.0.27-1.el7sat.noarch
* foreman-selinux-1.6.0.6-1.el7sat.noarch
* foreman-vmware-1.6.0.40-1.el7sat.noarch
* katello-1.5.0-28.el7sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-installer-0.0.59-1.el7sat.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-3.el7sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el7sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el7sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el7sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el7sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el7sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
* pulp-server-2.4.0-0.30.beta.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-11.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-15.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-12.el7sat.noarch

Comment 9 Bryan Kearney 2014-09-11 12:22:56 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.