692679 – web ui inaccessible with selinux enforcing

Bug 692679 - web ui inaccessible with selinux enforcing

Summary: web ui inaccessible with selinux enforcing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	CloudForms Cloud Engine
Classification:	Retired
Component:	aeolus-conductor
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Assignee:	Francesco Vollero
QA Contact:	Dave Johnson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-31 20:17 UTC by Dave Johnson
Modified:	2012-05-15 21:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-15 21:41:33 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2012:0583	0	normal	SHIPPED_LIVE	new packages: aeolus-conductor	2012-05-15 22:31:59 UTC

Description Dave Johnson 2011-03-31 20:17:43 UTC

Description of problem:

Pretty sure running selinux in permissive mode is meant to be a temporary workaround.  Pretty sure we do not want to release this way.  I ran across this on a reboot and after a discussion with Wes, this is the real issue.

snippet of errors in /var/log/audit/audit.log
================================================================
type=AVC msg=audit(1301601180.778:109017): avc:  denied  { name_connect } for  pid=1695 comm="httpd" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1301601180.778:109017): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7fe28ca35a48 a2=10 a3=7fff6996c47c items=0 ppid=1689 pid=1695 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Comment 1 Mike Orazi 2011-09-20 21:03:58 UTC

This may already be addressed for the conductor web ui, but let's verify.

Comment 2 Miroslav Grepl 2011-09-22 11:10:01 UTC

There is a boolean

httpd_can_network_connect

which should allow this. Could you test it using

setsebool httpd_can_network_connect on

Comment 3 Francesco Vollero 2011-09-22 13:18:40 UTC

This is an error generated from selinux policy for mod_proxy. So, before aeolus-configure was setting selinux as Miroslav said, now i don't know how is managed, but since we want to use Apache2 we need to set this boolean somehow.

Comment 4 wes hayutin 2011-09-28 16:40:05 UTC

making sure all the bugs are at the right version for future queries

Comment 6 Dave Johnson 2011-12-12 21:00:57 UTC

good 2 go with 

[root@qeblade29 ~]# rpm -qa | grep aeolus | sort
aeolus-all-0.7.0-4.el6.noarch
aeolus-conductor-0.7.0-4.el6.noarch
aeolus-conductor-daemons-0.7.0-4.el6.noarch
aeolus-conductor-doc-0.7.0-4.el6.noarch
aeolus-configure-2.4.0-3.el6.noarch
rubygem-aeolus-cli-0.2.0-3.el6.noarch
rubygem-aeolus-image-0.2.0-1.el6.noarch

Comment 9 errata-xmlrpc 2012-05-15 21:41:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html

Note You need to log in before you can comment on or make changes to this bug.