Uploaded image for project: 'Product Technical Learning'
  1. Product Technical Learning
  2. PTL-5478

DO447-61: SELinux rule affects files that shouldn't

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • DO467 - RHAAP 2.0 0
    • DO447 - RHAE2.8 2 20200818
    • DO447
    • None
    • 14
    • ILT, ROLE, VT
    • en-US (English)

      URL:
      Reporter RHNID:
      Section: - Configuring TLS/SSL for Ansible Tower
      Language: en-US (English)
      Workaround: 

      semanage fcontext -a -t cert_t "/etc/tower/tower.(cert|key)"
restorecon -FvvR /etc/tower/

      Description: In the GE Configuring TLS/SSL for Ansible Tower in step 2 we instruct students to execute the following 2 commands: 

      semanage fcontext -a -t cert_t "/etc/tower(/.*)?"
restorecon -FvvR /etc/tower/

      Those commands, are you can clearly see, affect all files under the /etc/tower. And while we don't face any issue with the nginx version we have in Tower 3.5.0, we cannot predict what will be the outcome in other versions. Moreover, this is a very bad advice, since we practically tell students that "As long as it works, don't care about the SELinux labels in the files".

      In my opinion, we should use the following 2 commands: 

      semanage fcontext -a -t cert_t "/etc/tower/tower.(cert|key)"
restorecon -FvvR /etc/tower/

      With this example, we demonstrate the correct usage of SELinux, a label only for those 2 files without changing the rest of them.

            rht-sbonnevi Steven Bonneville
            p.tselios Petros Tselios (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: