There are couple of changes that were not yet accepted upstream but we ship it for 6.1 release. We need to backport them into the 6.2 rebase. I will prepare a PR in GitLab for that. Please make sure you change the SPEC to append the downstream changes: cat downstream.te.in >> foreman.te
Triage info: This is *BLOCKER* as it will block testing of OpenStack integration.
I have doublechecked the three blocks and I was unable to reproduce the 2nd one and the 3rd one was already fixed in pulp policy itself. Therefore the only one that's still missing (and haven't been merged upstream yet) is OpenStack policy. I am renaming this BZ and we will cherry pick it once it's merged.
For the record, our policy already allows connections to Keystone 5000, but VMs can't be created as connections to Nova are still blocked.
Absolutely not, GA only for sure. Workaround when OpenStack SELinux issues appear are Permissive. Thanks.
*** Bug 1327650 has been marked as a duplicate of this bug. ***
Patch merged upstream.
With "enforcing" SELinux mode, create an OpenStack compute resource, create a VM there via Foreman, delete. No denials are issued.
Following are the Selinux denials I see when creating "new hosts". type=AVC msg=audit(1466765790.517:55310): avc: denied { name_connect } for pid=27681 comm="diagnostic_con*" dest=9696 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1466765969.437:55316): avc: denied { name_connect } for pid=27681 comm="diagnostic_con*" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket When deleting the "hosts" we get the below denial again. type=AVC msg=audit(1466766172.587:55358): avc: denied { name_connect } for pid=29261 comm="diagnostic_con*" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Tested with sat62-snap17.0
But the host provisioning was fine and we were able to successfully provision new host on the openstack. Are these AVC denials an issue ?
Kedar, these are indeed OpenStack ports. The 9696 one haven't been covered by this patch, it's a new bug. Please file new BZ only for 9696 port error (OpenStack Neutron service SELinux denial). The other one should be fixed tho. Is this RHEL6 or RHEL7? Please do: rpm -q foreman-selinux semanage boolean -l | grep passenger_can_connect_openstack semanage port -l | grep 8774 Also run foreman-selinux-enable and re-test.
The comment15 is related to Satellite6.2 running on RHEL6. Below is the issue, seen even on Satellite6.2-snap18.1 running on RHEL72. type=AVC msg=audit(1467658557.497:1516): avc: denied { name_connect } for pid=9773 comm="diagnostic_con*" dest=9696 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket --------------------------------------------------------------------------- [root@dhcp ~]# rpm -q foreman-selinux foreman-selinux-1.11.0.1-1.el7sat.noarch [root@dhcp ~]# semanage boolean -l | grep passenger_can_connect_openstack passenger_can_connect_openstack (on , on) Allow passenger to can connect openstack [root@dhcp ~]# semanage port -l | grep 8774 osapi_compute_port_t tcp 8774 ---------------------------------------------------------------------------- May be we want to just make sure the foreman-selinux policy is loaded correctly or are you suggesting to do this after the fix ? Anyways after running, foreman-selinux-enable and re-testing, type=AVC msg=audit(1467659098.220:1559): avc: denied { name_connect } for pid=11002 comm="diagnostic_con*" dest=9696 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:neutron_port_t:s0 tclass=tcp_socket Will raise a new bug shortly and link it here.
Ah! ok, I get it. That suggestion was for the port 8774 AVC denial. Will check that on the RHEL6 setup and update it here.
From the previous RHEL6 setup below is the info, [root@abc ~]# rpm -q foreman-selinux foreman-selinux-1.11.0.1-1.el6sat.noarch [root@abc ~]# semanage boolean -l | grep passenger_can_connect_openstack passenger_can_connect_openstack (on , on) passenger_can_connect_openstack [root@abc ~]# semanage port -l | grep 8774 1) Executed, foreman-selinux-enable 2) Did a Katello-service restart 3) Provisioned a "New Host". 4) See the below AVC denial again, type=AVC msg=audit(1467663634.790:77212): avc: denied { name_connect } for pid=7928 comm="diagnostic_con*" dest=8774 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket TESTED with satellite-6.2.0-17.0.el6sat.noarch I think I should move this to ASSIGNED state as this has FAILED_QA, I think let's have this same bug to track the (dest=8774 port ) issue. Also raised the bug for the 9696 neutron port and it is https://bugzilla.redhat.com/show_bug.cgi?id=1352707
ACK we need another fix, this affects only RHEL6 platform. http://projects.theforeman.org/issues/15639
Build : Satellite 6.2 snap 20.1 Rhel6.8 [root@sjagtap-sat6 ~]# getenforce Enforcing No denials for 8774 were captured in /var/log/audit/audit.log while creating and destroying instances.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501