Bug 1107684

Summary: AVC denied { read } for comm="ruby" name="migrate" dev=dm-0 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file
Product: Red Hat Satellite Reporter: Bryan Kearney <bkearney>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: bbuckingham, jmontleo, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/5808
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:28:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bryan Kearney 2014-06-10 12:47:14 UTC 
With fresh install of Foreman develop on RHEL 6.5 using

https://github.com/sstephenson/bats.git

https://github.com/theforeman/foreman-bats.git

https://raw.github.com/theforeman/foreman-bats/master/bootstrap.sh

I then see AVC denial

type=SYSCALL msg=audit(1400573528.296:205): arch=c000003e syscall=2 success=yes exit=8 a0=8a351a0 a1=90800 a2=8a35100 a3=2 items=0 ppid=32008 pid=32011 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1400573528.296:205): avc:  denied  { read } for  pid=32011 comm="ruby" name="migrate" dev=dm-0 ino=661342 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file

after restart of Apache.
Comment 1 Bryan Kearney 2014-06-10 12:47:17 UTC 
Created from redmine issue http://projects.theforeman.org/issues/5808
Comment 2 Bryan Kearney 2014-06-10 12:47:24 UTC 
Upstream bug assigned to lzap
Comment 3 Bryan Kearney 2014-06-10 13:03:57 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/5808 has been closed
Comment 6 Og Maciel 2014-09-02 20:05:52 UTC 
VERIFIED by QE:

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite-6.0.4-RHEL-6-20140829.0

Packages:
======
* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.23-1.el6_5.noarch
* candlepin-common-1.0.1-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.23-1.el6_5.noarch
* candlepin-tomcat6-0.9.23-1.el6_5.noarch
* elasticsearch-0.90.10-6.el6sat.noarch
* foreman-1.6.0.42-1.el6sat.noarch
* foreman-compute-1.6.0.42-1.el6sat.noarch
* foreman-gce-1.6.0.42-1.el6sat.noarch
* foreman-libvirt-1.6.0.42-1.el6sat.noarch
* foreman-ovirt-1.6.0.42-1.el6sat.noarch
* foreman-postgresql-1.6.0.42-1.el6sat.noarch
* foreman-proxy-1.6.0.30-1.el6sat.noarch
* foreman-selinux-1.6.0.14-1.el6sat.noarch
* foreman-vmware-1.6.0.42-1.el6sat.noarch
* katello-1.5.0-30.el6sat.noarch
* katello-ca-consumer-cloud-qe-10.idmqe.lab.eng.bos.redhat.com-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el6sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.23-32.el6_4.1.x86_64
* pulp-katello-0.3-4.el6sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el6sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el6sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el6sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el6sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el6sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el6sat.noarch
* pulp-server-2.4.1-0.5.rc1.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* rubygem-hammer_cli-0.1.1-12.el6sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el6sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el6sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el6sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el6sat.noarch
Comment 7 Bryan Kearney 2014-09-11 12:28:03 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.