Dominic and I spent a while yesterday helping a user who was having an issue setting up a new Foreman installation. Turns out that SElinux was enforcing which prevented httpd from accessing the docroot and passenger processes from starting. Once the user ran setenforce 0 and restarted httpd they were able to use Foreman as expected.
There are definitely plans to ship an SElinux policy, but for now it might be easiest to set SElinux to permissive as part of the installer on RHEL derivatives. What do you think?
Inform the user that SELinux must be disabled for now, but do not just
disable it as part of the install process.
Regards,
Andreas
···
Am 09.01.2013 16:07, schrieb Sam Kottler:
> Dominic and I spent a while yesterday helping a user who was having an issue setting up a new Foreman installation. Turns out that SElinux was enforcing which prevented httpd from accessing the docroot and passenger processes from starting. Once the user ran setenforce 0 and restarted httpd they were able to use Foreman as expected.
>
> There are definitely plans to ship an SElinux policy, but for now it might be easiest to set SElinux to permissive as part of the installer on RHEL derivatives. What do you think?
–
Solvention Ltd. & Co. KG
St.-Sebastianus-Str. 5
51147 Köln
If you disable it now, you will never find time to write SElinux policy.
Been there, done that.
···
On 01/09/2013 04:07 PM, Sam Kottler wrote:
> There are definitely plans to ship an SElinux policy, but for now it might be easiest to set SElinux to permissive as part of the installer on RHEL derivatives. What do you think?
–
Miroslav Suchy
Red Hat Systems Management Engineering
I am afraid putting Foreman into permissive mode will not help. You want
to put httpd into permissive mode (or turn off whole selinux), because
it's the httpd policy which prevents httpd processes from opening ports.
I also vote for telling user to turn it off manually rather than doing
this - because you would need to turn off it for httpd which can be
pretty dangerous.
And I also agree with Mirek's opinion it's better to do it now than
later. We have Katello in permissive mode and last year I saw several
patches that would obviously not work with enabled SELinux.
Writing proper policy can be challenging, but once it is set,
maintaining it is not that difficult.
LZ
···
On Wed, Jan 09, 2013 at 10:07:45AM -0500, Sam Kottler wrote:
> Dominic and I spent a while yesterday helping a user who was having an issue setting up a new Foreman installation. Turns out that SElinux was enforcing which prevented httpd from accessing the docroot and passenger processes from starting. Once the user ran setenforce 0 and restarted httpd they were able to use Foreman as expected.
>
> There are definitely plans to ship an SElinux policy, but for now it might be easiest to set SElinux to permissive as part of the installer on RHEL derivatives. What do you think?
>
> -Sam
It's a braindead-simple class that does exactly what I describe above.
···
----- Original Message -----
From: "Miroslav Suchý"
To: foreman-dev@googlegroups.com
Sent: Thursday, January 10, 2013 3:24:51 AM
Subject: Re: [foreman-dev] Should the installer set SElinux to permissive for now?
On 01/09/2013 04:07 PM, Sam Kottler wrote:
There are definitely plans to ship an SElinux policy, but for now it might be easiest to set SElinux to permissive as part of the installer on RHEL derivatives. What do you think?
If you disable it now, you will never find time to write SElinux policy.
Been there, done that.
–
Miroslav Suchy
Red Hat Systems Management Engineering
