Bug 1868005 - Selinux blocks websockify, vnc console is blocked
Summary: Selinux blocks websockify, vnc console is blocked
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.7.0
Hardware: All
OS: Unspecified
unspecified
medium
Target Milestone: 6.9.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-11 11:49 UTC by Jan Jansky
Modified: 2023-10-06 21:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1933164 (view as bug list)
Environment:
Last Closed: 2021-04-21 13:17:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 30657 0 Normal Closed Selinux blocks websockify, vnc console is blocked 2021-01-08 21:13:59 UTC
Red Hat Product Errata RHSA-2021:1313 0 None None None 2021-04-21 13:17:57 UTC

Description Jan Jansky 2020-08-11 11:49:40 UTC 
Description of problem:
On default installation when attempt to open vnc console to any compute resource selinux will block websockify.py to open python2.7 which will prevent to open actual vnc console


Version-Release number of selected component (if applicable):
at least since Satellite 6.5, not tested on EOL versions.

foreman-selinux-1.24.1-1.el7sat.noarch

How reproducible: 
Always.

Steps to Reproduce:
1. Create compute resource
2. List hosts
3. Select host
4. Console

Actual results:
/var/log/audit:
type=AVC msg=audit(1597137980.568:2781): avc:  denied  { execute } for  pid=18884 comm="websockify.py" path="/usr/bin/python2.7" dev="dm-0" ino=402654774 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0


Expected results:
# ps -Af | grep websockify
foreman   6966     1  0 11:50 ?        00:00:00 /usr/bin/python /usr/share/foreman/extras/noVNC/websockify.py --daemon --idle-timeout=120 --timeout=120 5914 hypervisor.example.com:port --cert /etc/pki/katello/certs/katello-apache.crt --key /etc/pki/katello/private/katello-apache.key

Do not have available Sat 6.8, so did not tested there.
Comment 6 Lukas Zapletal 2020-08-18 08:57:53 UTC 
Oh this does not mean it cannot execute python, it actually means "python cannot list /usr/bin folder (execute)". This will fix this:

require {
	type websockify_t;
}

#============= websockify_t ==============
corecmd_exec_ls(websockify_t)
Comment 7 Bryan Kearney 2020-08-31 16:05:39 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30657 has been resolved.
Comment 8 Brad Buckingham 2021-01-08 21:34:01 UTC 
The fix for this bugzilla is currently in early Satellite 6.9 SNAP; therefore, aligning to release and moving state.
Comment 9 Lukas Pramuk 2021-03-16 23:59:18 UTC 
VERIFIED.

@Satellite 6.9.0 Snap16
foreman-selinux-2.3.1-1.el7sat.noarch

by the reproducer described in comment#0

1) Select any provisioned host

2) Click [Console] button

>>> console window shown

3) Check for selinux denials

# grep websockify /var/log/audit/audit.log
<empty>

>>> no selinux denials
Comment 12 errata-xmlrpc 2021-04-21 13:17:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313
Note You need to log in before you can comment on or make changes to this bug.