Bug 1770999 - SELinux denials when connecting to cockpit using REX
Summary: SELinux denials when connecting to cockpit using REX
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-11 16:40 UTC by Adam Ruzicka
Modified: 2020-04-14 13:26 UTC (History)
3 users (show)

Fixed In Version: foreman-selinux-1.24.0-0.3.RC3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:26:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28252 Normal Closed SELinux denials when connecting to cockpit using REX 2020-09-05 13:22:30 UTC
Red Hat Bugzilla 1698181 unspecified CLOSED [RFE] Allow users to log into Cockpit from the Satellite UI. 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:26:33 UTC

Internal Links: 1698181

Description Adam Ruzicka 2019-11-11 16:40:59 UTC
Description of problem:
Accessing remote host's cockpit through REX fails because of selinux.

Relevant part of audit.log:

type=PROCTITLE msg=audit(11/08/2019 15:39:58.491:137) : proctitle=/usr/libexec/cockpit-ws --no-tls --address 127.0.0.1 --port 19090 
type=SYSCALL msg=audit(11/08/2019 15:39:58.491:137) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bbcb1cd5d0 a1=0x7ffd922d5640 a2=0x55bbcb1e1a30 a3=0x7ffd922d4d60 items=0 ppid=759 pid=8965 auid=unset uid=foreman gid=foreman euid=foreman suid=foreman fsuid=foreman egid=foreman sgid=foreman fsgid=foreman tty=(none) ses=unset comm=cockpit-ws exe=/usr/libexec/cockpit-ws subj=system_u:system_r:cockpit_ws_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 15:39:58.491:137) : avc:  denied  { execute } for  pid=8965 comm=cockpit-ws name=foreman-cockpit-session dev="vda1" ino=2231612 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


How reproducible:
Always


Steps to Reproduce:
1. Have SELinux enabled
2. Watch audit.log
3. Try to access host's cockpit using the button in host's details

Actual results:
Denial mentioned above seen in the logs, cockpit not working.


Expected results:
No denials, cockpit working.

Comment 5 Bryan Kearney 2019-11-19 15:00:40 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved.

Comment 6 Lukas Pramuk 2019-11-29 14:46:35 UTC
VERIFIED.

@Satellite 6.7.0 Snap4
foreman-selinux-1.24.0-0.3.RC3.el7sat.noarch

1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit

2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t                   tcp      19090, 9090

3) Access host's cockpit using the button in host's details

Hosts > All Hosts > (chosen host) > [Web Console] 

4) Check audit.log for denials with scontext cockpit_ws_t 

REPRO:
type=AVC msg=audit(1575033395.422:18473): avc:  denied  { execute } for  pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

vs.

FIX:
<empty>

>>> there are no SELinux denials however "Authentication failed for user root@host1.example.com" message is displayed

Comment 9 Lukas Zapletal 2019-12-03 07:11:58 UTC
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed.

Comment 12 errata-xmlrpc 2020-04-14 13:26:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.