Bug 1541481 - [RFE] krb5 support for remote execution job invocations failing on selinux enabled machines.
Summary: [RFE] krb5 support for remote execution job invocations failing on selinux en...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.3.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-02-02 16:54 UTC by Bryan Kearney
Modified: 2022-03-13 14:40 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
If you have SELinux enabled, using Kerberos (KRB) keys instead of RSA keys can cause remote execution jobs to fail.
Clone Of: 1386266
Environment:
Last Closed: 2020-04-14 13:22:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 26951 0 High Closed foreman-tasks won't start if SELinux is enforcing 2021-01-07 02:21:23 UTC
Red Hat Issue Tracker SAT-5011 0 None None None 2021-09-09 13:11:37 UTC
Red Hat Product Errata RHSA-2020:1454 0 None None None 2020-04-14 13:22:43 UTC

Comment 1 Mike McCune 2018-03-09 17:01:54 UTC 
Adam, is the MR requested here all that is needed for this bug? If so, it got merged some time ago and we can close this out.
Comment 2 Adam Ruzicka 2018-03-12 11:17:44 UTC 
No, the requested MR was to "make the options for it show up in the installer". This BZ is now about "when I use the options, installer fails on SELinux enabled machines".
Comment 5 Lukas Zapletal 2019-10-29 11:46:21 UTC 
Workaround A:

semanage permissive passenger_t

Workaround B:

echo -n "module passenger-execmem 1.0;\nallow passenger_t self:process execmem;\n" > passenger-execmem.pp
semodule -i passenger-execmem.pp

A patch will add this into Satellite 6.7 policy (https://bugzilla.redhat.com/show_bug.cgi?id=1541481 / https://projects.theforeman.org/issues/26951).
Comment 6 Bryan Kearney 2019-10-29 12:03:48 UTC 
Upstream bug assigned to lzap
Comment 7 Bryan Kearney 2019-10-29 12:03:50 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.
Comment 8 Peter Ondrejka 2020-02-04 13:51:12 UTC 
Verified on Satellite 6.7 snap 10, installation with --foreman-proxy-plugin-remote-execution-ssh-ssh-kerberos-auth on machine in enforcing SELinux mode succeeds as expected.

Also notified docs (via the feedback button) that the first step in
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.6/html/managing_hosts/chap-managing_hosts-running_remote_jobs_on_hosts#setting_up_kerberos_authentication_for_remote_execution
is no longer needed. (autogenerated bz https://bugzilla.redhat.com/show_bug.cgi?id=1798056)
Comment 11 errata-xmlrpc 2020-04-14 13:22:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454
Note You need to log in before you can comment on or make changes to this bug.