Bug 1078265

Summary:	katello-installer generates AVC: denied { name_connect } for scontext=passenger_t:s0 tcontext=:websm_port_t:s0 tclass=tcp_socket
Product:	Red Hat Satellite	Reporter:	Jan Hutař <jhutar>
Component:	SELinux	Assignee:	Lukas Zapletal <lzap>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Jan Hutař <jhutar>
Severity:	medium	Docs Contact:
Priority:	high
Version:	Nightly	CC:	cwelton, dcleal, dsulliva, elavarde, jmontleo, mmccune, omaciel
Target Milestone:	Unspecified	Keywords:	Triaged
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
URL:	http://projects.theforeman.org/issues/5827
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-09-11 12:22:01 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Hutař 2014-03-19 13:57:32 UTC

Description of problem:
katello-installer generates AVCs


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-6-20140318.3


How reproducible:
always


Steps to Reproduce:
1. # katello-installer
2. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders 10.16.36.29 --capsule-dns-forwarders 10.11.5.19 --capsule-dns-forwarders 10.5.30.160 --capsule-dns-interface eth0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface eth0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false


Actual results:
=== katello-installer ===
SELinux: 2048 avtab hash slots, 278892 rules.
SELinux: 2048 avtab hash slots, 278892 rules.
SELinux:  9 users, 12 roles, 3937 types, 220 bools, 1 sens, 1024 cats
SELinux:  81 classes, 278892 rules

=== katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders 10.16.36.29 --capsule-dns-forwarders 10.11.5.19 --capsule-dns-forwarders 10.5.30.160 --capsule-dns-interface eth0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface eth0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false ===
time->Sun Mar 16 17:17:03 2014
type=SYSCALL msg=audit(1395004623.756:191): arch=c000003e syscall=42 success=no exit=-111 a0=f a1=7f5cc05faf00 a2=1c a3=ff00 items=0 ppid=23315 pid=23863 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1395004623.756:191): avc:  denied  { name_connect } for  pid=23863 comm="ruby" dest=9090 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:websm_port_t:s0 tclass=tcp_socket
Fail: AVC messages found.


Expected results:
No AVCs should be generated


Additional info:
This is most probably a known issue, but filling it as I have not seen it anywhere.

Comment 1 RHEL Program Management 2014-03-19 14:15:14 UTC

Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 3 Dominic Cleal 2014-05-20 15:20:51 UTC

Created redmine issue http://projects.theforeman.org/issues/5827 from this bug

Comment 4 Bryan Kearney 2014-05-23 15:46:43 UTC

Upstream bug assigned to lzap

Comment 5 Lukas Zapletal 2014-05-26 13:59:02 UTC

Fixed upstream, PR pending review.

Comment 7 Bryan Kearney 2014-06-02 12:06:20 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/5827 has been closed

Comment 9 Corey Welton 2014-06-20 15:44:30 UTC

Seeing this in latest build Satellite-6.0.3-RHEL-6-20140619.0.  Still related to installer?

type=AVC msg=audit(1403208049.892:2114): avc:  denied  { name_connect } for  pid=18332 comm="ruby" dest=9200 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1403208049.892:2114): arch=c000003e syscall=42 success=no exit=-111 a0=f a1=7f063cdbc050 a2=1c a3=ff00 items=0 ppid=1 pid=18332 auid=0 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=19 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)

reopening for consideration.

Comment 10 Jan Hutař 2014-06-24 10:32:49 UTC

I have reported bug 1112607 as well (includes this and 4 other AVCs generated by katello-installer).

Comment 11 Lukas Zapletal 2014-06-24 15:13:18 UTC

The package did not contain my patch.

Jason please make sure you rebase foreman-selinux from latest develop upstream branch. Thanks.

Comment 12 Lukas Zapletal 2014-06-25 10:20:21 UTC

*** Bug 1104270 has been marked as a duplicate of this bug. ***

Comment 17 Bryan Kearney 2014-09-11 12:22:01 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Comment 21 Dave Sullivan 2014-12-26 20:04:14 UTC

https://bugzilla.redhat.com/show_bug.cgi?id=1177377