Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1770999 - SELinux denials when connecting to cockpit using REX
Summary: SELinux denials when connecting to cockpit using REX
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-11 16:40 UTC by Adam Ruzicka
Modified: 2020-04-14 13:26 UTC (History)
3 users (show)

Fixed In Version: foreman-selinux-1.24.0-0.3.RC3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:26:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 28252 0 Normal Closed SELinux denials when connecting to cockpit using REX 2020-09-05 13:22:30 UTC
Red Hat Bugzilla 1698181 0 unspecified CLOSED [RFE] Allow users to log into Cockpit from the Satellite UI. 2023-09-07 19:54:06 UTC
Red Hat Product Errata RHSA-2020:1454 0 None None None 2020-04-14 13:26:33 UTC

Internal Links: 1698181

Description Adam Ruzicka 2019-11-11 16:40:59 UTC 
Description of problem:
Accessing remote host's cockpit through REX fails because of selinux.

Relevant part of audit.log:

type=PROCTITLE msg=audit(11/08/2019 15:39:58.491:137) : proctitle=/usr/libexec/cockpit-ws --no-tls --address 127.0.0.1 --port 19090 
type=SYSCALL msg=audit(11/08/2019 15:39:58.491:137) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55bbcb1cd5d0 a1=0x7ffd922d5640 a2=0x55bbcb1e1a30 a3=0x7ffd922d4d60 items=0 ppid=759 pid=8965 auid=unset uid=foreman gid=foreman euid=foreman suid=foreman fsuid=foreman egid=foreman sgid=foreman fsgid=foreman tty=(none) ses=unset comm=cockpit-ws exe=/usr/libexec/cockpit-ws subj=system_u:system_r:cockpit_ws_t:s0 key=(null) 
type=AVC msg=audit(11/08/2019 15:39:58.491:137) : avc:  denied  { execute } for  pid=8965 comm=cockpit-ws name=foreman-cockpit-session dev="vda1" ino=2231612 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file


How reproducible:
Always


Steps to Reproduce:
1. Have SELinux enabled
2. Watch audit.log
3. Try to access host's cockpit using the button in host's details

Actual results:
Denial mentioned above seen in the logs, cockpit not working.


Expected results:
No denials, cockpit working.
Comment 5 Bryan Kearney 2019-11-19 15:00:40 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28252 has been resolved.
Comment 6 Lukas Pramuk 2019-11-29 14:46:35 UTC 
VERIFIED.

@Satellite 6.7.0 Snap4
foreman-selinux-1.24.0-0.3.RC3.el7sat.noarch

1) Enable REX cockpit feature
# satellite-installer --enable-foreman-plugin-remote-execution-cockpit

2) Check the foreman's cockpit port 19090/tcp
# semanage port -l | grep 19090
websm_port_t                   tcp      19090, 9090

3) Access host's cockpit using the button in host's details

Hosts > All Hosts > (chosen host) > [Web Console] 

4) Check audit.log for denials with scontext cockpit_ws_t 

REPRO:
type=AVC msg=audit(1575033395.422:18473): avc:  denied  { execute } for  pid=21303 comm="cockpit-ws" name="foreman-cockpit-session" dev="dm-0" ino=68220250 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0

vs.

FIX:
<empty>

>>> there are no SELinux denials however "Authentication failed for user root.com" message is displayed
Comment 9 Lukas Zapletal 2019-12-03 07:11:58 UTC 
Make sure you have discovery plugin 6.0.1, there was a last remaining bug fixed.
Comment 12 errata-xmlrpc 2020-04-14 13:26:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454
Note You need to log in before you can comment on or make changes to this bug.