Bug 1812110 - [RFE] SELinux boolean for exposing Artemis connection
Summary: [RFE] SELinux boolean for exposing Artemis connection
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 3.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Nikos Moumoulidis
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-10 14:31 UTC by Jonathon Turel
Modified: 2020-04-16 12:54 UTC (History)
3 users (show)

Fixed In Version: candlepin-3.1.10-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-16 12:54:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github candlepin candlepin pull 2678 0 None closed 1812110: Expose artemis port with SELinux boolean; ENT-2190 2020-11-04 21:42:40 UTC

Description Jonathon Turel 2020-03-10 14:31:19 UTC 
Description of problem:

From Katello we want to install a custom broker.xml to expose a STOMP listener at port 61613. This results in SELinux denials:


type=AVC msg=audit(1583850201.051:96): avc:  denied  { name_bind } for  pid=3668 comm=5468726561642D3020286163746976 src=61613 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Discussed with Kevin and Barnaby a solution to add a SELinux boolean that Katello can toggle to 'true' from the installer to allow this port binding. Otherwise it will be disabled by default for non-Katello installations.

Related reading for selinux booleans:

https://github.com/SELinuxProject/refpolicy/blob/3039bde79c55dff7801a1b83e96df62b2c3e0b39/policy/modules/services/apache.te

https://github.com/SELinuxProject/refpolicy/blob/a6576234c87e56f10116fc8595d0832bad87c1a2/policy/modules/services/apache.if
Note You need to log in before you can comment on or make changes to this bug.