-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add selinux changes for cockpit #266
Add selinux changes for cockpit #266
Conversation
Looks like this isn't good enough, but after fixing the UI I was able to get this running with |
978f721
to
c99326e
Compare
With this and ManageIQ/manageiq-ui-classic#6522 I was able to get both a webconsole to a remote VM and access cockpit for the appliance running manageiq. |
Moving this to WIP while I try to minimize the changes. |
This was created by the following process: - set selinux to permissive - enable the cockpit role - Request a cockpit webconsole to a VM - audit2allow -a -m cockpit_ws_miq > cockpit_ws_miq.te https://bugzilla.redhat.com/show_bug.cgi?id=1779988
This allows cockpit-ws to access it without SELinux changes
c99326e
to
e426901
Compare
Some comments on commits carbonin/manageiq-appliance@afe24fb~...e426901 manageiq-setup.sh
|
Checked commits carbonin/manageiq-appliance@afe24fb~...e426901 with ruby 2.5.5, rubocop 0.69.0, haml-lint 0.20.0, and yamllint 1.10.0 |
Minimized the selinux changes and moved the auth script to this repo. These changes require ManageIQ/manageiq#19631 |
This is clearly better than it was after you reduced the scope of the needed selinux permission changes. 👍 |
Add selinux changes for cockpit (cherry picked from commit 2d4ef11) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784555
Ivanchuk backport details:
|
This allows the cockpit proxy to work while also allowing
us to access the cockpit webconsole for the appliance.
37502e8 removed the previous implementation
but that breaks to cockpit VM console (cockpit_ws) role
This was the original implementation in #130, but was rejected for being needlessly complex. Now we seem to need that complexity to simultaneously proxy cockpit connections and run cockpit on the appliance itself.That didn't work.This was created by the following process:
audit2allow -a -m cockpit_ws_miq > cockpit_ws_miq.te
https://bugzilla.redhat.com/show_bug.cgi?id=1779988