Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add selinux changes for cockpit #266

Merged
merged 3 commits into from
Dec 11, 2019
Merged

Add selinux changes for cockpit #266

merged 3 commits into from
Dec 11, 2019

Conversation

carbonin
Copy link
Member

@carbonin carbonin commented Dec 9, 2019
edited

This allows the cockpit proxy to work while also allowing
us to access the cockpit webconsole for the appliance.

37502e8 removed the previous implementation
but that breaks to cockpit VM console (cockpit_ws) role

This was the original implementation in #130, but was rejected for being needlessly complex. Now we seem to need that complexity to simultaneously proxy cockpit connections and run cockpit on the appliance itself. That didn't work.

This was created by the following process:

  • set selinux to permissive
  • enable the cockpit role
  • Request a cockpit webconsole to a VM
  • audit2allow -a -m cockpit_ws_miq > cockpit_ws_miq.te

https://bugzilla.redhat.com/show_bug.cgi?id=1779988

@carbonin carbonin changed the title Add original selinux changes for cockpit [WIP] Add original selinux changes for cockpit Dec 10, 2019
@miq-bot miq-bot added the wip label Dec 10, 2019
@carbonin
Copy link
Member Author

Looks like this isn't good enough, but after fixing the UI I was able to get this running with setenforce 0 so I'll try to figure out an alternative.

@carbonin carbonin force-pushed the readd_selinux_changes_for_cockpit branch from 978f721 to c99326e Compare December 10, 2019 19:49
@carbonin carbonin changed the title [WIP] Add original selinux changes for cockpit Add original selinux changes for cockpit Dec 10, 2019
@carbonin carbonin removed the wip label Dec 10, 2019
@carbonin
Copy link
Member Author

With this and ManageIQ/manageiq-ui-classic#6522 I was able to get both a webconsole to a remote VM and access cockpit for the appliance running manageiq.

@carbonin carbonin changed the title Add original selinux changes for cockpit Add selinux changes for cockpit Dec 10, 2019
@carbonin carbonin mentioned this pull request Dec 10, 2019
Merged
@carbonin carbonin changed the title Add selinux changes for cockpit [WIP] Add selinux changes for cockpit Dec 11, 2019
@carbonin
Copy link
Member Author

Moving this to WIP while I try to minimize the changes.

@miq-bot miq-bot added the wip label Dec 11, 2019
@carbonin
Add cockpit selinux policy
afe24fb 
This was created by the following process:
  - set selinux to permissive
  - enable the cockpit role
  - Request a cockpit webconsole to a VM
  - audit2allow -a -m cockpit_ws_miq > cockpit_ws_miq.te

https://bugzilla.redhat.com/show_bug.cgi?id=1779988
@carbonin
Move the cockpit-auth-miq script into /usr/bin
23c89db 
This allows cockpit-ws to access it without SELinux changes
@carbonin
Apply the etc_t context to the cockpit config dir and its contents
e426901
@carbonin carbonin force-pushed the readd_selinux_changes_for_cockpit branch from c99326e to e426901 Compare December 11, 2019 21:03
@miq-bot
Copy link
Member

miq-bot commented Dec 11, 2019

Some comments on commits carbonin/manageiq-appliance@afe24fb~...e426901

manageiq-setup.sh

  • ⚠️ - 54 - Detected pp. Remove all debugging statements.
  • ⚠️ - 55 - Detected pp. Remove all debugging statements.

@miq-bot
Copy link
Member

miq-bot commented Dec 11, 2019

Checked commits carbonin/manageiq-appliance@afe24fb~...e426901 with ruby 2.5.5, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0
0 files checked, 0 offenses detected
Everything looks fine. ⭐

@carbonin
Copy link
Member Author

Minimized the selinux changes and moved the auth script to this repo.

These changes require ManageIQ/manageiq#19631

@carbonin carbonin changed the title [WIP] Add selinux changes for cockpit Add selinux changes for cockpit Dec 11, 2019
@carbonin carbonin removed the wip label Dec 11, 2019
@jrafanie
Copy link
Member

This is clearly better than it was after you reduced the scope of the needed selinux permission changes. 👍

@jrafanie jrafanie merged commit 2d4ef11 into ManageIQ:master Dec 11, 2019
@jrafanie jrafanie added this to the Sprint 127 Ending Jan 6, 2020 milestone Dec 11, 2019
simaishi pushed a commit that referenced this pull request Dec 17, 2019
@jrafanie @simaishi
Merge pull request #266 from carbonin/readd_selinux_changes_for_cockpit
b915ed7 
Add selinux changes for cockpit

(cherry picked from commit 2d4ef11)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784555
@simaishi
Copy link
Contributor

Ivanchuk backport details:

$ git log -1
commit b915ed726529e28a4e1f25fa7def9b4ba56fab5c
Author: Joe Rafaniello <jrafanie@users.noreply.github.com>
Date:   Wed Dec 11 17:18:04 2019 -0500

    Merge pull request #266 from carbonin/readd_selinux_changes_for_cockpit

    Add selinux changes for cockpit

    (cherry picked from commit 2d4ef11e7144313970cd1a1f97ffd80eed409d49)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784555

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrafanie jrafanie jrafanie approved these changes

Assignees

@jrafanie jrafanie

Labels
blocker bug ivanchuk/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@carbonin @miq-bot @jrafanie @simaishi