Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-27308

noVNC Console for KVM not working due to missing SELinux boolean - websockify

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • foreman-selinux-3.12.0
    • 0
    • Platform
    • Moderate
    • None

      Description of problem:

      Opening a VM Console created with Libvirt provider fails due to SELinux preventing websockify to open connection on its port range.

      Aug 19 01:56:26 satellite setroubleshoot[11512]: SELinux is preventing websockify from name_connect access on the tcp_socket port 5908.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   *****************#012#012If you want to allow foreman to rails can connect all#012Then you must tell SELinux about this by enabling the 'foreman_rails_can_connect_all' boolean.#012#012Do#012setsebool -P foreman_rails_can_connect_all 1#012#012****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that websockify should be allowed name_connect access on the port 5908 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'websockify' --raw | audit2allow -M my-websockify#012# semodule -X 300 -i my-websockify.pp#012

      How reproducible:

      Always

      Is this issue a regression from an earlier version:

      No

      Steps to Reproduce:

      1. Confiure Libvirt Compute Resource

      2. Create a host using the Libvirt CR

      3. Try to access the console, screen hanging on "Loading"

      Actual behavior:
      Console hangs on "Loading..." while connecting to the Console via Satellite, checking the logs in /var/log/messages:

       

      Aug 19 01:56:26 satellite setroubleshoot[11512]: SELinux is preventing websockify from name_connect access on the tcp_socket port 5908.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   *****************#012#012If you want to allow foreman to rails can connect all#012Then you must tell SELinux about this by enabling the 'foreman_rails_can_connect_all' boolean.#012#012Do#012setsebool -P foreman_rails_can_connect_all 1#012#012****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that websockify should be allowed name_connect access on the port 5908 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'websockify' --raw | audit2allow -M my-websockify#012# semodule -X 300 -i my-websockify.pp#012

      After "setsebool -P foreman_rails_can_connect_all 1" console opens (see attachment).

       

      Expected behavior:
      Console opens correctly

      Business Impact / Additional info:

      I think this should be part of the SELinux rules applied during the setup.

        1. Screenshot from 2024-08-19 08-02-51.png
          Screenshot from 2024-08-19 08-02-51.png
          53 kB
        There are no Sub-Tasks for this issue.

            egolov@redhat.com Evgeni Golov
            alessandro.rossi Alessandro Rossi
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: