Remove dependency on unconfined selinux module

[matthewdva]

Moved the temporary rule to prevent dontaudit denies during startup to an optional policy. This change removed the dependence on the unconfined selinux module.

[ekohl]

Apologies for the late response.

Looking at the thread, the Smart Proxy service ends up running unconfined and I'd say that in most setups we have that running on the same machine. Can you tell me why you don't want to depend on the unconfined service?

Today we don't really support the foreman-proxy SELinux module and nobody is working on completing it so I'm not sure we can improve this.

[matthewdva]

As part of our security policy, we disable the unconfined module on all systems. Because the policy is dependent on the unconfined module, we are unable to install it on the server or a smart proxy.

When we encounter applications that do not work correctly without the unconfined module, we will create auxiliary modules to correct any issues. We prefer to leverage the upstream modules that are provided when they exist. We cannot leverage the foreman-selinux without patching the policy and rebuilding the rpm.

The comment regarding the dependency on the unconfined modules dependency states it is a temporary policy to prevent excess logging. We are proposing this temporary policy become optional for those like us who want to disable the unconfined module.

[ekohl]

As part of our security policy, we disable the unconfined module on all systems. Because the policy is dependent on the unconfined module, we are unable to install it on the server or a smart proxy.

That helps to understand this.

When we encounter applications that do not work correctly without the unconfined module, we will create auxiliary modules to correct any issues. We prefer to leverage the upstream modules that are provided when they exist. We cannot leverage the foreman-selinux without patching the policy and rebuilding the rpm.

I'm happy to merge patches to address this. Today it's not supported because it's not finished (#168 sort of proves that).

The comment regarding the dependency on the unconfined modules dependency states it is a temporary policy to prevent excess logging. We are proposing this temporary policy become optional for those like us who want to disable the unconfined module.

That's fine by me. And I suspect that if you do run foreman-proxy within a policy you may not need to connect to unconfined TCP sockets, though I don't think there's a policy for puppetserver either which could shift the problem where foreman-proxy connects to an unconfined service.

To move this forward, could you please open a Redmine issue on https://projects.theforeman.org/projects/selinux and link it here?

[matthewdva]

To move this forward, could you please open a Redmine issue on https://projects.theforeman.org/projects/selinux and link it here?
I have been trying to get a Redmine account so I can create an issue. I keep getting a message, "Your account was created and is now pending administrator approval." I am happy to create an issues once I can sign in.

[ekohl]

I'd have expected to send an email, but I've now activated your user.

[evgeni]

I thought I had it configured not to require activation at all if you login via GitHub 🤔

[matthewdva]

Following up to see if anything else is needed to move this request forward.

[ekohl]

I just kicked off CI. @evgeni any objections?

[ekohl]

Thanks @matthewdva!