we merged Foreman Proxy SELinux policy into nightly builds and we are
calling for testing. It is very easy to install or uninstall SELinux
policy for proxy:
yum -y install foreman-proxy-selinux
service foreman-proxy restart
From that point, smart-proxy process is running in it's own confined
domain (foreman_proxy_t) and taking advantage of improved security.
Although we did our best to test possible configuration scenarios, there
will be security denials for those of you who configure proxy
differently.
Our policy is modular and by default all the bits are enabled. If you
don't use let's say DNS proxy plugin, you can disable it via SELinux
boolean improving the security further:
semanage boolean -l | grep foreman_proxy
foreman_proxy_manage_puppetca (on , on) Allow foreman to proxy manage puppetca
foreman_proxy_use_sudo (on , on) Allow foreman to proxy use sudo
foreman_proxy_manage_dhcp_generic (on , on) Allow foreman to proxy manage dhcp generic
foreman_proxy_manage_puppet (on , on) Allow foreman to proxy manage puppet
foreman_proxy_manage_dhcp_isc (on , on) Allow foreman to proxy manage dhcp isc
foreman_proxy_manage_tftp (on , on) Allow foreman to proxy manage tftp
foreman_proxy_manage_dns_nsupdate (on , on) Allow foreman to proxy manage dns nsupdate
To uninstall you only need to remove the RPM package and restart the
service once again. That's really it.
Help us to improve Foreman 1.8 with testing and properly reporting
SELinux denials. What we need to know is how to reproduce the issue
(configuration, actions through CLI/UI) and additional information
gathered with:
Should puppet-foreman_proxy enable these booleans? We have many switches
to know if it should be used.
···
On Thu, Dec 04, 2014 at 11:31:01AM +0100, Lukas Zapletal wrote:
> Our policy is modular and by default all the bits are enabled. If you
> don't use let's say DNS proxy plugin, you can disable it via SELinux
> boolean improving the security further:
>
> # semanage boolean -l | grep foreman_proxy
> foreman_proxy_manage_puppetca (on , on) Allow foreman to proxy manage puppetca
> foreman_proxy_use_sudo (on , on) Allow foreman to proxy use sudo
> foreman_proxy_manage_dhcp_generic (on , on) Allow foreman to proxy manage dhcp generic
> foreman_proxy_manage_puppet (on , on) Allow foreman to proxy manage puppet
> foreman_proxy_manage_dhcp_isc (on , on) Allow foreman to proxy manage dhcp isc
> foreman_proxy_manage_tftp (on , on) Allow foreman to proxy manage tftp
> foreman_proxy_manage_dns_nsupdate (on , on) Allow foreman to proxy manage dns nsupdate
The goal of the puppet modules is to ensure a working environment. If
selinux is used and the boolean is off (because the user disabled it in
the past) while it should be on, puppet could detect and fix it.
If they're enabled by default it may not be needed that much, but I
wouldn't be surprised if at some point we will add this. It could even
disable the unneeded booleans for added security.
···
On Thu, Dec 04, 2014 at 02:57:16PM +0100, Lukas Zapletal wrote:
> > Should puppet-foreman_proxy enable these booleans? We have many switches
> > to know if it should be used.
>
> Sorry what? They are enabled by default and the comments are I hope
> self-explanatory. You only want to disable them when some plugins are
> not in use.
>
> It's totally fine to have them enabled all.
> If they're enabled by default it may not be needed that much, but I
> wouldn't be surprised if at some point we will add this. It could even
> disable the unneeded booleans for added security.
Sure, this is ideal world. Raised a feature ticket for that:
