Cloned specifically for the Katello component. The SELinux setting in the default Katello Kickstart file is set to permissive, but should be enforcing. May be blocked on bug #1100367 which will update the services in Foreman's kickstart so iptables etc are enabled after provisioning. +++ This bug was initially created as a clone of Bug #1100367 +++ Description of problem: Default RHEL provisioning template produces system with insecure settings (selinux in permissive; services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped; although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed; ) Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140521.0 How reproducible: always Steps to Reproduce: 1. Provision guest with these provisioning templates (or just inspect them): Kickstart default Kickstart RHEL default Katello Kickstart Default for RHEL Actual results: Not all issues are found in all templates, but what I consider most important: * system is not registered automatically * SELinux in permissive * services like iptables, ip6tables, auditd, restorecond, yum-updatesd are stopped * although the system is meant to be used via subscription-manager, yum-rhn-plugin is installed Expected results: After installation, system should be registered by default. SELinux should be in enforcing At least ip*tables services should be running with sane configuration Just a minimal set of packages should be installed (yum-rhn-plugin and other might be probably removed)
The fourth point about yum-rhn-plugin will have to be done in Katello if you wish to fix it, it won't be removed from Foreman's default kickstart as it's still in use.
http://projects.theforeman.org/issues/5899 can probably be linked.
Created redmine issue http://projects.theforeman.org/issues/6246 from this bug
Moving to POST since upstream bug http://projects.theforeman.org/issues/6246 has been closed
VERIFIED that template Satellite Kickstart Default uses selinux --enforcing as well as all provisioned hosts also displayed that selinux was enforcing. Browser: -------- * Firefox 31.0 Mac OS Build: ------ * Satellite-6.0.4-RHEL-6-20140813.2 Packages: --------- * candlepin-0.9.23-1.el7.noarch * candlepin-common-1.0.1-1.el7.noarch * candlepin-guice-3.0-2_redhat_1.el7.noarch * candlepin-scl-1-5.el7.noarch * candlepin-scl-quartz-2.1.5-6.el7.noarch * candlepin-scl-rhino-1.7R3-3.el7.noarch * candlepin-scl-runtime-1-5.el7.noarch * candlepin-selinux-0.9.23-1.el7.noarch * candlepin-tomcat-0.9.23-1.el7.noarch * elasticsearch-0.90.10-4.el7sat.noarch * foreman-1.6.0.40-1.el7sat.noarch * foreman-compute-1.6.0.40-1.el7sat.noarch * foreman-gce-1.6.0.40-1.el7sat.noarch * foreman-libvirt-1.6.0.40-1.el7sat.noarch * foreman-ovirt-1.6.0.40-1.el7sat.noarch * foreman-postgresql-1.6.0.40-1.el7sat.noarch * foreman-proxy-1.6.0.27-1.el7sat.noarch * foreman-selinux-1.6.0.6-1.el7sat.noarch * foreman-vmware-1.6.0.40-1.el7sat.noarch * katello-1.5.0-28.el7sat.noarch * katello-ca-1.0-1.noarch * katello-certs-tools-1.5.6-1.el7sat.noarch * katello-installer-0.0.59-1.el7sat.noarch * openldap-2.4.39-3.el7.x86_64 * pulp-katello-0.3-3.el7sat.noarch * pulp-nodes-common-2.4.0-0.30.beta.el7sat.noarch * pulp-nodes-parent-2.4.0-0.30.beta.el7sat.noarch * pulp-puppet-plugins-2.4.0-0.30.beta.el7sat.noarch * pulp-puppet-tools-2.4.0-0.30.beta.el7sat.noarch * pulp-rpm-plugins-2.4.0-0.30.beta.el7sat.noarch * pulp-selinux-2.4.0-0.30.beta.el7sat.noarch * pulp-server-2.4.0-0.30.beta.el7sat.noarch * python-ldap-2.4.6-6.el7.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch * rubygem-hammer_cli-0.1.1-11.el7sat.noarch * rubygem-hammer_cli_foreman-0.1.1-15.el7sat.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch * rubygem-hammer_cli_katello-0.0.4-12.el7sat.noarch
This was delivered with Satellite 6.0 which was released on 10 September 2014.