Description of problem: Installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not load data from https://<fqdn>" Version-Release number of selected component (if applicable): Satellite-6.0.4-RHEL-7-20140813.2 How reproducible: always Steps to Reproduce: 1. # katello-installer --foreman-admin-email 'root@localhost' --foreman-admin-username '<user>' --foreman-admin-password '<pass>' --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip29> --capsule-dns-forwarders <ip19> --capsule-dns-forwarders <ip160> --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <hash> --capsule-pulp false Actual results: Lot of AVCs and configuration fails. Expected results: No failures Additional info: # rpm -qa | grep selinux libselinux-ruby-2.2.2-6.el7.x86_64 libselinux-python-2.2.2-6.el7.x86_64 selinux-policy-3.12.1-153.el7.noarch candlepin-selinux-0.9.23-1.el7.noarch foreman-selinux-1.6.0.6-1.el7sat.noarch libselinux-2.2.2-6.el7.x86_64 selinux-policy-targeted-3.12.1-153.el7.noarch pulp-selinux-2.4.0-0.30.beta.el7sat.noarch libselinux-utils-2.2.2-6.el7.x86_64 # cat /var/log/audit/audit.log | audit2allow #============= passenger_t ============== allow passenger_t fs_t:filesystem getattr; allow passenger_t httpd_t:unix_stream_socket getattr; allow passenger_t initrc_t:unix_stream_socket connectto; allow passenger_t initrc_var_run_t:file { read getattr unlink open ioctl }; allow passenger_t postgresql_t:unix_stream_socket connectto; allow passenger_t postgresql_var_run_t:dir search; allow passenger_t postgresql_var_run_t:sock_file write; allow passenger_t puppet_etc_t:file { execute execute_no_trans }; allow passenger_t puppet_log_t:file write; allow passenger_t puppet_var_lib_t:dir { relabelfrom relabelto create setattr }; allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto }; allow passenger_t self:capability2 block_suspend; allow passenger_t self:process { execmem getsession }; allow passenger_t sysfs_t:dir read; allow passenger_t sysfs_t:file { read getattr open }; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow passenger_t unreserved_port_t:tcp_socket name_connect; allow passenger_t var_lib_t:file { read getattr open ioctl }; allow passenger_t var_lib_t:lnk_file read; allow passenger_t var_log_t:file { write ioctl read open getattr append }; allow passenger_t var_run_t:file { read getattr open ioctl }; allow passenger_t var_run_t:sock_file write; allow passenger_t websm_port_t:tcp_socket name_connect; #============= qpidd_t ============== allow qpidd_t passwd_file_t:file getattr;
Since this issue was entered in Red Hat Bugzilla, the release flag has been set to ? to ensure that it is properly evaluated for this release.
As advised by lzap: # semodule -l | grep foreman # foreman-selinux-enable libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute consoletype_exec_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). ValueError: Could not commit semanage transaction ValueError: Type elasticsearch_port_t is invalid, must be a port type # rpm -qa | grep selinux | grep -v -e libselinux -e selinux-policy candlepin-selinux-0.9.23-1.el7.noarch foreman-selinux-1.6.0.6-1.el7sat.noarch pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
The compose is missing this patch in foreman-selinux.spec file: https://github.com/theforeman/foreman-packaging/pull/308 The policy was not loaded, all the AVCs above are not relevant. As a workaround use this build: http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
This package resolves the issue: # rpm -Uvh http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm Retrieving http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm Preparing... ################################# [100%] Updating / installing... 1:foreman-selinux-1.7.0-0.develop.2################################# [ 50%] Cleaning up / removing... 2:foreman-selinux-1.6.0.6-1.el7sat ################################# [100%] # foreman-selinux-enable # echo $? 0 # semodule -l | grep foreman foreman 1.7.0.0
Hello, this has been reported as. I will implement a temporary fix in our policy. https://bugzilla.redhat.com/show_bug.cgi?id=1130086
Jan, this bugzilla contains several denials. Can you specify what do you see? Please paste output of the following commands in this order: rpm -q foreman-selinux selinux-policy getenforce ps auxZ | grep RackApp semodule -l | grep foreman foreman-selinux-enable foreman-selinux-disable foreman-selinux-enable foreman-selinux-relabel -v semanage boolean -l semanage fcontext -l sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50
VERIFIED by QE Browser: ===== * Firefox 31.0 (MacOS) Build: ==== * Satellite/Satellite-6.0.4-RHEL-7-20140829.0 Packages: ====== * candlepin-0.9.23-1.el7.noarch * candlepin-common-1.0.1-1.el7.noarch * candlepin-guice-3.0-2_redhat_1.el7.noarch * candlepin-scl-1-5.el7.noarch * candlepin-scl-quartz-2.1.5-6.el7.noarch * candlepin-scl-rhino-1.7R3-3.el7.noarch * candlepin-scl-runtime-1-5.el7.noarch * candlepin-selinux-0.9.23-1.el7.noarch * candlepin-tomcat-0.9.23-1.el7.noarch * elasticsearch-0.90.10-6.el7sat.noarch * foreman-1.6.0.42-1.el7sat.noarch * foreman-compute-1.6.0.42-1.el7sat.noarch * foreman-gce-1.6.0.42-1.el7sat.noarch * foreman-libvirt-1.6.0.42-1.el7sat.noarch * foreman-ovirt-1.6.0.42-1.el7sat.noarch * foreman-postgresql-1.6.0.42-1.el7sat.noarch * foreman-proxy-1.6.0.30-1.el7sat.noarch * foreman-selinux-1.6.0.14-1.el7sat.noarch * foreman-vmware-1.6.0.42-1.el7sat.noarch * katello-1.5.0-30.el7sat.noarch * katello-certs-tools-1.5.6-1.el7sat.noarch * katello-default-ca-1.0-1.noarch * katello-installer-0.0.64-1.el7sat.noarch * katello-server-ca-1.0-1.noarch * openldap-2.4.39-3.el7.x86_64 * pulp-katello-0.3-4.el7sat.noarch * pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch * pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch * pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch * pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch * pulp-server-2.4.1-0.5.rc1.el7sat.noarch * python-ldap-2.4.6-6.el7.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch * rubygem-hammer_cli-0.1.1-12.el7sat.noarch * rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch * rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch * rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
This was delivered with Satellite 6.0 which was released on 10 September 2014.