Bug 1256711 - Enabling SELinux: missing reference to "Enabling SELinux" section in Security guide
Enabling SELinux: missing reference to "Enabling SELinux" section in Security...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Docs Install Guide (Show other bugs)
6.1.0
All Linux
medium Severity medium (vote)
: 6.1.2
: --
Assigned To: David O'Brien
Stephen Wadeley
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-25 06:11 EDT by Pavel Moravec
Modified: 2015-10-13 10:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-13 10:41:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Moravec 2015-08-25 06:11:22 EDT
Document URL: 
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/Installation_Guide/sect-Red_Hat_Satellite-Installation_Guide-Prerequisites.html#sect-Red_Hat_Satellite-Installation_Guide-Prerequisites-SELinux_Policy


Section Number and Name: 
1.4.6. SELinux Policy on Satellite 6


Describe the issue: 
Paragraph "Important" "If SELinux was disabled .." provides just steps relevant to applying changes to Sat6 processes/files/etc. While important steps from Security manual are missing.


Suggestions for improvement: 
Provide reference / link to [1] (RHEL6) and [2] (RHEL7). State the two commands foreman-selinux-* should be executed when SELinux is in Permissive mode (sort of middle of procedure of [1]/[2]).

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Changing_SELinux_Modes.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux
[2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html#sect-Security-Enhanced_Linux-Enabling_and_Disabling_SELinux-Enabling_SELinux


Additional information:
Comment 2 David O'Brien 2015-09-06 22:17:34 EDT
Pavel or Lukas,

1.4.6. SELinux Policy on Satellite 6 includes the following statement:

"For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you need to add these port numbers to the httpd_port_t SELinux port type."

Should we extend that example to include how to disassociate the previous port from the port type? e.g., if you want to use 8018 and not 8080 then you might not want to allow access to 8080.

Can you provide a suitable example if you think this is necessary? My SELinux is a bit rusty :(

thanks
Comment 3 Pavel Moravec 2015-09-07 02:59:09 EDT
(In reply to David O'Brien from comment #2)
> Pavel or Lukas,
> 
> 1.4.6. SELinux Policy on Satellite 6 includes the following statement:
> 
> "For example, if you change the web UI ports (HTTP/HTTPS) to 8018/8019, you
> need to add these port numbers to the httpd_port_t SELinux port type."
> 
> Should we extend that example to include how to disassociate the previous
> port from the port type? e.g., if you want to use 8018 and not 8080 then you
> might not want to allow access to 8080.
> 
> Can you provide a suitable example if you think this is necessary? My
> SELinux is a bit rusty :(
> 
> thanks

It makes sense but I dont know the command either (I could find it but still wouldnt be sure it's correct).

Yet another issue I see here: Assume a user changes the SELinux context for listening port. After upgrading foreman-selinux or other relevant *selinux* package, wont be the original port 8080 allowed again? If so, we should add a notice "dissasociate the allow access to original port by running below command *now* and also after every upgrade of package ???"

Lukas, could you pls. provide the SELinux command and confirm&complete my another point?
Comment 7 Lukas Zapletal 2015-09-11 07:07:39 EDT
Hey, sorry for the delay.

To unassociate port number with SELinux port type, use -d option of semanage tool.

> Yet another issue I see here: Assume a user changes the SELinux context for
> listening port. After upgrading foreman-selinux or other relevant *selinux*
> package, wont be the original port 8080 allowed again? If so, we should add
> a notice "dissasociate the allow access to original port by running below
> command *now* and also after every upgrade of package ???"

No. We only add default ports if they are not present.

Note You need to log in before you can comment on or make changes to this bug.