Content host enabled with fapolicyd rules is preventing the Remote Execution from Red Hat Satellite.

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • client has fapolicyd enabled

Issue

  • Unable to perform Remote Execution on the content host enabled with fapolicyd rules.

  • Content host enabled with fapolicyd rules is preventing the Remote Execution from Red Hat Satellite.

  • How to configure fapolicyd rules to allow Remote Execution with fapolicy enabled host.

  • Remote Execution using non-root user on custom working directory fails with the following Error:

       1: sh: line 1: /var/rexuser/foreman-ssh-cmd-b8616bdc-51da-4b28-bfdd-c8c1e1c06c27/script-wrapper: Operation not permitted
2: Exit status: 126
3: StandardError: Job execution failed

  • It can also give error like : 

      1: sh: line 1: /var/tmp/foreman-ssh-cmd-b8616bdc-51da-4b28-bfdd-c8c1e1c06c27/script-wrapper: Operation not permitted
2: Exit status: 126
3: StandardError: Job execution failed

Resolution

  • Ensure the fapolicyd is configured on the content host has the following rule added:

    • Create the 25-custom.rules file under /etc/fapolicyd/rules.d/ using your preferred text editor.

    • Add following rule in the newly created /etc/fapolicyd/rules.d/25-custom.rules rule to add the directory where it is failing (You can find the directory location in the failed task output):

If it fails with /var/rexuser/*, then add : 

 ```
  allow perm=any all : ftype=text/plain dir=/var/rexuser/
 ```

If it fails with /var/tmp/* then add : 

 ```
  allow perm=any all : ftype=text/plain dir=/var/tmp/
 ```

  • Once added, notify fapolicyd of the policy update and restart the service by running the following commands:

    # chown root:fapolicyd /etc/fapolicyd/rules.d/25-custom.rules
# fapolicyd-cli --update
# systemctl restart fapolicyd
# restorecon -RFv /etc/fapolicyd/rules.d/

Root Cause

  • The Remote Execution from Satellite works when the fapolicyd is disabled on the content host.
  • The fapolicyd rules on the content host were preventing the Remote Execution from Red Hat Satellite.

Diagnostic Steps

  • Run debug with fapolicyd on affected host and review the debug logs. Troubleshooting problems related to fapolicyd.

  • Debug will display what specific rule blocks the exact command that is being executed and is generally sufficient to create a rule to allow the blocked activity.

  • Below error observed in the fapolicy debug logs:

    **rule=XX dec=deny_audit perm=execute auid=43674 pid=864299 exe=/usr/bin/bash : path=/var/rexuser/foreman-ssh-cmd-b8616bdc-51da-4b28-bfdd-c8c1e1c06c27/script-wrapper ftype=text/plain trust=0**
SBR
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.