Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1770999

Summary: SELinux denials when connecting to cockpit using REX
Product: Red Hat Satellite Reporter: Adam Ruzicka <aruzicka>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: high Docs Contact:
Priority: high    
Version: 6.7.0CC: cmarinea, egolov, lzap
Target Milestone: 6.7.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-selinux-1.24.0-0.3.RC3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 13:26:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Ruzicka 2019-11-11 16:40:59 UTC 
Description of problem:
Accessing remote host's cockpit through REX fails because of selinux.

Relevant part of audit.log:

type=PROCTITLE msg=audit(11/08/2019 15:39:58.491:137) : proctitle=/usr/libexec/cockpit-ws --no-tls --address 127.0.0.1 --port 19090 
type=SYSCALL msg=audit(11/08/2019 15:39:58.491:137) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bbcb1cd5d0 a1=0x7ffd922d5640 a2=0x55bbcb1e1a30 a3=0x7ffd922d4d60 items=0 ppid=759 pid=8965 auid=unset uid=foreman gid=foreman euid=foreman suid=foreman fsuid=foreman egid=foreman sgid=foreman fsgid=foreman tty=(none) ses=unset comm=cockpit-ws exe=/usr/libexec/cockpit-ws subj=system_u:system_r:cockpit_ws_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 15:39:58.491:137) : avc:  denied  { execute } for  pid=8965 comm=cockpit-ws name=foreman-cockpit-session dev="vda1" ino=2231612 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


How reproducible:
Always


Steps to Reproduce:
1. Have SELinux enabled
2. Watch audit.log
3. Try to access host's cockpit using the button in host's details

Actual results:
Denial mentioned above seen in the logs, cockpit not working.


Expected results:
No denials, cockpit working.
Comment 5 Bryan Kearney 2019-11-19 15:00:40 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved.
Comment 6 Lukas Pramuk 2019-11-29 14:46:35 UTC 
VERIFIED.

@Satellite 6.7.0 Snap4
foreman-selinux-1.24.0-0.3.RC3.el7sat.noarch

1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit

2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t                   tcp      19090, 9090

3) Access host's cockpit using the button in host's details

Hosts > All Hosts > (chosen host) > [Web Console] 

4) Check audit.log for denials with scontext cockpit_ws_t 

REPRO:
type=AVC msg=audit(1575033395.422:18473): avc:  denied  { execute } for  pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

vs.

FIX:
<empty>

>>> there are no SELinux denials however "Authentication failed for user root.com" message is displayed
Comment 9 Lukas Zapletal 2019-12-03 07:11:58 UTC 
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed.
Comment 12 errata-xmlrpc 2020-04-14 13:26:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454