Bug 1115958

Summary: AVCs on RHEL7 while configuring capsule
Product: Red Hat Satellite Reporter: Jan Hutař <jhutar>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: bbuckingham, jmontleo, omaciel, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/7034
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:21:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Hutař 2014-07-03 11:58:24 UTC 
Description of problem:
When you attempt to configure capsule/smart proxy on Sat6 on RHEL7, some SELinux AVC denials appear.


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-7-20140702.0
selinux-policy-targeted-3.12.1-153.el7.noarch


How reproducible:
1 of 1


Steps to Reproduce:
1. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip>  --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false


Actual results:
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:413): arch=c000003e syscall=4 success=yes exit=0 a0=7f1578002eb8 a1=7f1578002e00 a2=7f1578002e00 a3=2 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:413): avc:  denied  { getattr } for  pid=79240 comm="PassengerHelper" path="/run/foreman/restart.txt" dev="tmpfs" ino=179535 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:414): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=700000014 a3=c9bc90 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:414): avc:  denied  { block_suspend } for  pid=79240 comm="PassengerHelper" capability=36  scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:415): arch=c000003e syscall=2 success=yes exit=17 a0=7fb3ecb43500 a1=0 a2=1b6 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:415): avc:  denied  { open } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1404367896.644:415): avc:  denied  { read } for  pid=1804 comm="ruby" name="entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:416): arch=c000003e syscall=16 success=no exit=-25 a0=11 a1=5401 a2=7fb3f53b1ea0 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:416): avc:  denied  { ioctl } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


Expected results:
No AVCs


Additional info:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Comment 2 Lukas Zapletal 2014-08-12 07:16:46 UTC 
Jan, do you have foreman-selinux package installed?

From AVC denials, I can see that there must be Foreman application running on this host. But you say you are installing Capsule. I don't get it. You are not allowed to install Capsules on hosts with Satellite 6 (there are some port interferences).
Comment 5 Lukas Zapletal 2014-08-12 08:36:15 UTC 
Fixing in http://projects.theforeman.org/issues/7034
Comment 6 Bryan Kearney 2014-08-12 16:03:21 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/7034 has been closed
-------------
Lukas Zapletal
https://github.com/theforeman/foreman-selinux/pull/26
-------------
Anonymous
Applied in changeset commit:7b9410507203c9c5f58283bc39f5da8ee8a92608.
Comment 8 Og Maciel 2014-09-02 19:58:42 UTC 
VERIFIED by QE

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite/Satellite-6.0.4-RHEL-7-20140829.0

Packages:
======
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-6.el7sat.noarch
* foreman-1.6.0.42-1.el7sat.noarch
* foreman-compute-1.6.0.42-1.el7sat.noarch
* foreman-gce-1.6.0.42-1.el7sat.noarch
* foreman-libvirt-1.6.0.42-1.el7sat.noarch
* foreman-ovirt-1.6.0.42-1.el7sat.noarch
* foreman-postgresql-1.6.0.42-1.el7sat.noarch
* foreman-proxy-1.6.0.30-1.el7sat.noarch
* foreman-selinux-1.6.0.14-1.el7sat.noarch
* foreman-vmware-1.6.0.42-1.el7sat.noarch
* katello-1.5.0-30.el7sat.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el7sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-4.el7sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
* pulp-server-2.4.1-0.5.rc1.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-12.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
Comment 10 Bryan Kearney 2014-09-11 12:21:40 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.