-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
6.18.1
-
8
-
False
-
sat-rocket
-
None
-
None
-
None
-
-
-
-
-
Customer Facing, Customer Reported
-
Manual
Description of problem:
After installing Satellite 6.18.1 on RHEL 9.7 STIG (Disconnected Environment) Lightspeed pages fail with 403 permission denied error see here;
# curl https://`hostname -f`/assets/apps/advisor/fed-mods.json <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html>
(the webui reflects this error on general Lightpseed page loads)
This traces back to the permissions of the file;
# ls -laZ /var/lib/foreman/public/assets/apps/advisor/fed-mods.json -rw-r--r--. 1 root root system_u:object_r:foreman_lib_t:s0 198 Dec 23 12:47 /var/lib/foreman/public/assets/apps/advisor/fed-mods.json
The above, combined with the default umask applied to STIG systems of 0077. This umask is not normally a problem since typically we set permissions directly and on creation of this dir we don't.
To reproduce:
- Establish RHEL 9 system with most base STIG policies (keeping the 0077 umask in place)
- a. if fapolicyd is enabled configure it according to kcs 7001184
- install or upgrade to 6.18 with iop enabled
- run the curl above
STIG can be enabled in the kickstart, or just after installation. For just after installation (before Satellite is installed):
dnf install openscap-scanner scap-security-guide oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
- is related to
-
-
- To Do
-
- links to
