Bug 692679 - web ui inaccessible with selinux enforcing
Summary: web ui inaccessible with selinux enforcing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-conductor
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
Assignee: Francesco Vollero
QA Contact: Dave Johnson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-31 20:17 UTC by Dave Johnson
Modified: 2012-05-15 21:41 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-15 21:41:33 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2012:0583 0 normal SHIPPED_LIVE new packages: aeolus-conductor 2012-05-15 22:31:59 UTC

Description Dave Johnson 2011-03-31 20:17:43 UTC
Description of problem:

Pretty sure running selinux in permissive mode is meant to be a temporary workaround.  Pretty sure we do not want to release this way.  I ran across this on a reboot and after a discussion with Wes, this is the real issue.

snippet of errors in /var/log/audit/audit.log
================================================================
type=AVC msg=audit(1301601180.778:109017): avc:  denied  { name_connect } for  pid=1695 comm="httpd" dest=3000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1301601180.778:109017): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=7fe28ca35a48 a2=10 a3=7fff6996c47c items=0 ppid=1689 pid=1695 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Comment 1 Mike Orazi 2011-09-20 21:03:58 UTC
This may already be addressed for the conductor web ui, but let's verify.

Comment 2 Miroslav Grepl 2011-09-22 11:10:01 UTC
There is a boolean

httpd_can_network_connect

which should allow this. Could you test it using

setsebool httpd_can_network_connect on

Comment 3 Francesco Vollero 2011-09-22 13:18:40 UTC
This is an error generated from selinux policy for mod_proxy. So, before aeolus-configure was setting selinux as Miroslav said, now i don't know how is managed, but since we want to use Apache2 we need to set this boolean somehow.

Comment 4 wes hayutin 2011-09-28 16:40:05 UTC
making sure all the bugs are at the right version for future queries

Comment 6 Dave Johnson 2011-12-12 21:00:57 UTC
good 2 go with 

[root@qeblade29 ~]# rpm -qa | grep aeolus | sort
aeolus-all-0.7.0-4.el6.noarch
aeolus-conductor-0.7.0-4.el6.noarch
aeolus-conductor-daemons-0.7.0-4.el6.noarch
aeolus-conductor-doc-0.7.0-4.el6.noarch
aeolus-configure-2.4.0-3.el6.noarch
rubygem-aeolus-cli-0.2.0-3.el6.noarch
rubygem-aeolus-image-0.2.0-1.el6.noarch

Comment 9 errata-xmlrpc 2012-05-15 21:41:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html


Note You need to log in before you can comment on or make changes to this bug.