Tracker #7249
closedPolicy with workarounds for Foreman w/ Katello
0%
Description
There are several workarounds that needs to be solved to get Foreman with Katello working on RHEL6 and RHEL7. I want to create a separate policy that will carry those.
Ideally I'd like to have it in the foreman-selinux git repo (as a separate module and package) but if we agree this is not the right place, I'd like to keep this tracking issue for future reference.
Updated by Lukas Zapletal over 9 years ago
- Related to Bug #7198: Socket read and write on RHEL7 added
Updated by Lukas Zapletal over 9 years ago
- Category set to Packaging
This rule is needed for foreman-tasks (#7198):
allow passenger_t httpd_t:unix_stream_socket {read write};
Updated by Lukas Zapletal over 9 years ago
- Related to Bug #7193: Katello does not install due to qpidd policy bug added
Updated by Lukas Zapletal over 9 years ago
This rule is required for RHEL 7.0 (without SELinux upcoming errata):
auth_read_passwd(qpidd_t)
https://github.com/theforeman/foreman-selinux/pull/29/files
Tracked as #7193
Updated by Lukas Zapletal over 9 years ago
This issue #7178
allow passenger_t self:process execmem;
has been merged upstream but I am going to revert it and until this is resolved in foreman-tasks I will put this as a temporary solution. We need to make sure therubyracer/v8 does not attempt to compile any assets during the boot.
Updated by Lukas Zapletal over 9 years ago
- Related to Bug #7178: Allow passenger_t to EXECMEM added
Updated by Lukas Zapletal over 9 years ago
Leaked file descriptor of EPEL6 puppet:
userdom_dontaudit_manage_user_tmp_files(load_policy_t)
Updated by Lukas Zapletal over 9 years ago
Just for the record this one:
time->Wed Aug 27 17:15:02 2014 type=SYSCALL msg=audit(1409152502.399:684): arch=c000003e syscall=49 success=no exit=-13 a0=d a1=7fc09c321ab0 a2=10 a3=0 items=0 ppid=1673 pid=1724 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1409152502.399:684): avc: denied { name_bind } for pid=1724 comm="ruby" src=22845 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket # https://bugzilla.redhat.com/show_bug.cgi?id=1134503 corenet_udp_bind_all_unreserved_ports(passenger_t)
It's reported to be harmless, so we can dontaudit it for Satellite 6.0 and after policy breakup find out if this is master or foreman app.
WARNING: Need to use the macro!