Hello,
in the Foreman 1.8 release (or nightly builds) we ship SELinux policy
for smart-proxy. It is not installed by default as we would like to test
it more before enabling it for everyone.
If you want to help us testing the policy, feel free to install and
enable the policy by installing a package and restarting the proxy:
yum install foreman-proxy-selinux
service foreman-proxy restart
The proxy process should run in its own domain from that moment:
ps axuZ | grep proxy
system_u:system_r:foreman_proxy_t:s0 foreman+ …
The policy itself is modular, just like the proxy itself. By default all
"modules" (or "features") are turned on. You can fine-tune this setting
with SELinux booleans:
semanage boolean -l | grep foreman_proxy
foreman_proxy_manage_puppetca (on , on) Allow foreman to proxy manage puppetca
foreman_proxy_use_sudo (on , on) Allow foreman to proxy use sudo
foreman_proxy_manage_dhcp_generic (on , on) Allow foreman to proxy manage dhcp generic
foreman_proxy_manage_puppet (on , on) Allow foreman to proxy manage puppet
foreman_proxy_manage_tftp (on , on) Allow foreman to proxy manage tftp
foreman_proxy_manage_dhcp_isc (on , on) Allow foreman to proxy manage dhcp isc
foreman_proxy_manage_dns_nsupdate (on , on) Allow foreman to proxy manage dns nsupdate
To disable the policy, just uninstall the package and restart the daemon
again. If you encounter problems, you can turn the particular process
into permissive easily and keep it running to collect denials which you
can send to us:
semanage permissive -a foreman_proxy_t
To enable or disable proxy policy without uninstalling the package, you
can use:
foreman-proxy-selinux-enable
foreman-proxy-selinux-disable
Please report all issues in our tracker:
http://projects.theforeman.org/projects/selinux/issues/new
Remember to report denials (ausearch -m avc) and describe all proxy
configuration you made (attach /etc/foreman-proxy). You can use
foreman-debug tool to upload a debug tarball and attach its name to the
ticket which is the best approach.
Thank you for all your valuable input. Our goal is to create rock solid
and secure platform together!