Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1214223

Summary: SELinux changes for Cockpit
Product: Red Hat Enterprise Linux 7 Reporter: Marius Vollmer <mvollmer>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: dperpeet, dwalsh, jaster, jscotka, lvrabec, mgrepl, mmalik, mvadkert, mvollmer, plautrba, pvrabec, ssekidde, stefw
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-28.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1233233 1268732 (view as bug list) Environment:
Last Closed: 2015-11-19 10:33:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1143927, 1233233, 1268732    

Description Marius Vollmer 2015-04-22 09:33:07 UTC 
The integration tests of Cockpit trigger these messages:

type=1400 audit(1429694589.393:6): avc:  denied  { create } for  pid=2580 comm="cockpit-session" name="HTTP_0" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=1400 audit(1429694589.394:7): avc:  denied  { write open } for  pid=2580 comm="cockpit-session" path="/var/tmp/HTTP_0" dev="vda" ino=230782 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

I think this fragment is needed, but I know nothing about SELinux:

# cockpit-session does these when authenticating via GSSAPI
allow cockpit_session_t tmp_t:file { create write open unlink };
Comment 3 Milos Malik 2015-04-22 11:00:24 UTC 
The comment#0 contains AVCs for create, write and open operations. Please attach the AVC for unlink operation too:

# ausearch -m avc -m user_avc -m selinux_err -i -ts today
Comment 4 Marius Vollmer 2015-04-24 14:19:07 UTC 
(In reply to Milos Malik from comment #3)
> The comment#0 contains AVCs for create, write and open operations. Please
> attach the AVC for unlink operation too:
> 
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today

I think 'unlink' doesn't happen in our tests, and I don't know how to trigger it.
(Also, we redirect the audit messages to the systemd journal.  Can ausearch work with that?)

The accesses are caused by libgssapi_krb5.  Maybe there are some existing rules for programs that use libgssapi_krb5.

Stef, do you know whether we need 'unlink'?
Comment 5 Stef Walter 2015-05-13 13:22:44 UTC 
> Stef, do you know whether we need 'unlink'?

I have no idea. It's deep in the bowels of GSSAPI. I would assume so.
Comment 8 Stef Walter 2015-09-03 09:08:16 UTC 
FYI the upstream test provides the guidance to check this bug: test/check-realms TestNegotiate.testKerberos

Current failure: 

AssertionError: 'HTTP/1.1 200 OK' not found in 'HTTP/1.1 401 Authentication required\r\nWWW-Authenticate: Negotiate\r\nContent-Length: 104\r\n\r\nHTTP/1.1 401 Authentication failed\r\nWWW-Authenticate: Negotiate oXkwd6ADCgEConAEbmBsBgkqhkiG9xIBAgIDAH5dMFugAwIBBaEDAgEepBEYDzIwMTUwOTAzMDg1OTMwWqUFAgMB+/qmAwIBPKkNGwtDT0NLUElULkxBTqohMB+gAwIBAaEYMBYbBEhUVFAbDngwLmNvY2twaXQubGFu\r\nContent-Length: 100\r\n\r\n<html><head><title>401 Authentication failed</title></head><body>Authentication failed</body></html>'

You can see that RHEL-7 is red here: http://files.cockpit-project.org/hubbot/
Comment 9 Milos Malik 2015-09-23 10:17:39 UTC 
There are 2 cockpit policy modules:

# ls -l /etc/selinux/targeted/modules/active/modules/cockpit.pp 
-rw-r--r--. 1 root root 12264 Sep 23 11:57 /etc/selinux/targeted/modules/active/modules/cockpit.pp
# rpm -qf /etc/selinux/targeted/modules/active/modules/cockpit.pp 
selinux-policy-targeted-3.13.1-52.el7.noarch
# ls -l /usr/share/selinux/targeted/cockpit.pp 
-rw-r--r--. 1 root root 127304 Aug 17 18:33 /usr/share/selinux/targeted/cockpit.pp
# rpm -qf /usr/share/selinux/targeted/cockpit.pp 
cockpit-selinux-policy-0.71-1.el7.noarch
#

Now it depends on which of the packages is upgraded / installed as last.

The TC passes when cockpit module (version 1.0.0) from selinux-policy package is loaded.
The TC fails when cockpit module (version 1.9.0) from cockpit-selinux-policy package is loaded.
Comment 10 Milos Malik 2015-09-23 10:19:52 UTC 
Is it possible to merge those cockpit policy modules?
Comment 11 Stef Walter 2015-09-23 14:33:56 UTC 
Most of the changes have been merged. I think this is the last one. Once they have been merged, we do not need to build cockpit-selinux-policy on RHEL any longer.
Comment 12 Miroslav Grepl 2015-10-02 07:49:13 UTC 
What needs to be merged? I believe we are up-to-date.

In this phase we have two policies with the same name which is wrong and could cause troubles.
Comment 13 Milos Malik 2015-10-04 08:42:26 UTC 
@QE:
If cockpit-selinux-policy package is not installed at all then the TC passes.
If cockpit-selinux-policy package is installed, you have to remove it and reinstall selinux-policy-targeted package, which provides cockpit.pp, and the TC passes too.

@devel: I believe that all necessary rules / context were already merged.
Comment 14 Miroslav Grepl 2015-10-05 06:03:24 UTC 
(In reply to Milos Malik from comment #13)
> @QE:
> If cockpit-selinux-policy package is not installed at all then the TC passes.
> If cockpit-selinux-policy package is installed, you have to remove it and
> reinstall selinux-policy-targeted package, which provides cockpit.pp, and
> the TC passes too.

That's correct because we have two same modules.

> 
> @devel: I believe that all necessary rules / context were already merged.

Yes, I agree.
Comment 17 Miroslav Vadkerti 2015-10-05 14:46:07 UTC 
Moving back to correct state
Comment 19 errata-xmlrpc 2015-11-19 10:33:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html