Bug 1112607
Summary: | Foreman-tasks EXECMEM denial | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> | |
Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | |
Status: | CLOSED ERRATA | QA Contact: | Corey Welton <cwelton> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 6.0.3 | CC: | bbuckingham, cwelton, ehelms, sthirugn | |
Target Milestone: | Unspecified | Keywords: | Triaged | |
Target Release: | Unused | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
URL: | http://projects.theforeman.org/issues/7178 | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1134543 1656716 (view as bug list) | Environment: | ||
Last Closed: | 2015-08-12 05:09:53 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1134543, 1656716 |
Description
Jan Hutař
2014-06-24 10:25:07 UTC
All these bugs should be covered in the upcoming build, except the EXECMEM which we hesitate to add. It looks like passenger does work without this selinux rule. We will monitor that. I see the bug moved to 6.0.4, we will reevaluate this and eventually we can do dontaudit rule for this one. Moving to POST since upstream bug http://projects.theforeman.org/issues/7178 has been closed ------------- Lukas Zapletal Scratch that for RHEL7, after investigation from this evening with Jason and Og, it turns out it is not passenger but foreman-tasks what causes this denial. And it does not start without this. We run foreman-tasks (dynflow process) in passenger_t because it boots whole foreman to do its work. We need to allow this rule. It does work in RHEL6 but in RHEL7 it does not start. Permissive only gives this denial and enforcing stops tasks from coming up. Allowing this rule proceeds. <pre>service foreman-tasks start Redirecting to /bin/systemctl start foreman-tasks.service Job for foreman-tasks.service failed. See 'systemctl status foreman-tasks.service' and 'journalctl -xn' for details. [root@el7-smoketest ~]# vi log [root@el7-smoketest ~]# audit2allow -m passenger-execmem < log module passenger-execmem 1.0; require { type passenger_t; class process execmem; } #============= passenger_t ============== allow passenger_t self:process execmem; You have new mail in /var/spool/mail/root [root@el7-smoketest ~]# audit2allow -M passenger-execmem < log ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i passenger-execmem.pp [root@el7-smoketest ~]# semodule -i passenger-execmem.pp [root@el7-smoketest ~]# getenforce Enforcing [root@el7-smoketest ~]# service foreman-tasks start Redirecting to /bin/systemctl start foreman-tasks.service You have new mail in /var/spool/mail/root [root@el7-smoketest ~]# cat log type=AVC msg=audit(1408565585.751:711): avc: denied { execmem } for pid=52386 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process [root@el7-smoketest ~]# systemctl status foreman-tasks foreman-tasks.service - Foreman jobs daemon Loaded: loaded (/usr/lib/systemd/system/foreman-tasks.service; enabled) Active: active (running) since Wed 2014-08-20 16:22:15 EDT; 22s ago Docs: https://github.com/iNecas/foreman-tasks Process: 52738 ExecStop=/usr/bin/foreman-tasks stop (code=exited, status=134) Process: 54593 ExecStart=/usr/bin/foreman-tasks start (code=exited, status=0/SUCCESS) CGroup: /system.slice/foreman-tasks.service ├─54635 dynflow_executor └─54637 dynflow_executor_monitor Aug 20 16:20:56 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:22:14 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:22:15 el7-smoketest.sat6.lab.eng.bos.redhat.com systemd[1]: Started Fo... Hint: Some lines were ellipsized, use -l to show in full.</pre> ------------- Anonymous Applied in changeset commit:d867377e56451fc43030a30958499d34e6f4e485. We need to investigate this more. It looks like it's not the Satellite 6 (passenger) instance who throws that, but foreman-tasks which is running in the same domain (passenger_t) for obvious reasons (it boots up whole satellite 6 rails environment thus it needs to be in the same domain). It looks like less-rails -> therubyracer -> v8 is the root cause but we don't know why and what does it compile. Maybe the environment is not the same as when we start Rails the normal way thus it does not find all the files? Verified * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.32-1.el6.noarch * candlepin-common-1.0.8-1.el6.noarch * candlepin-selinux-0.9.32-1.el6.noarch * candlepin-tomcat6-0.9.32-1.el6.noarch * elasticsearch-0.90.10-7.el6.noarch * foreman-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-compute-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-gce-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-libvirt-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-ovirt-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-postgresql-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-proxy-1.7.0-0.develop.201410101404git7961640.el6.noarch * foreman-release-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-selinux-1.7.0-0.develop.201409301113git2f345de.el6.noarch * foreman-vmware-1.7.0-0.develop.201410150839gitb948163.el6.noarch * katello-2.1.0-1.201410161306gite21feb2.el6.noarch * katello-certs-tools-2.0.1-1.el6.noarch * katello-default-ca-1.0-1.noarch * katello-installer-2.1.0-1.201410151311git9100203.el6.noarch * katello-repos-2.1.1-1.el6.noarch * katello-server-ca-1.0-1.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * pulp-docker-plugins-0.2.1-0.2.beta.el6.noarch * pulp-katello-0.3-3.el6.noarch * pulp-nodes-common-2.5.0-0.7.beta.el6.noarch * pulp-nodes-parent-2.5.0-0.7.beta.el6.noarch * pulp-puppet-plugins-2.5.0-0.7.beta.el6.noarch * pulp-puppet-tools-2.5.0-0.7.beta.el6.noarch * pulp-rpm-plugins-2.5.0-0.7.beta.el6.noarch * pulp-selinux-2.5.0-0.7.beta.el6.noarch * pulp-server-2.5.0-0.7.beta.el6.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-ldap_fluff-0.3.2-1.el6.noarch * ruby193-rubygem-net-ldap-0.3.1-2.el6.noarch * ruby193-rubygem-runcible-1.2.0-1.el6.noarch * rubygem-hammer_cli-0.1.3-1.201409240954gitf3c47c7.el6.noarch * rubygem-hammer_cli_foreman-0.1.3-1.201410151235gitbc8c449.el6.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410gitc96619d.git.0.37f3704.el6.noarch * rubygem-hammer_cli_import-0.10.4-1.el6.noarch * rubygem-hammer_cli_katello-0.0.6-1.201410161327gite14cd51.git.0.a8188a8.el6.noarch This bug is slated to be released with Satellite 6.1. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592 |