Bug 1127284

Summary: various SELinux AVCs when installing capsule
Product: Red Hat Satellite Reporter: Jan Hutař <jhutar>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Kedar Bidarkar <kbidarka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: bkearney, inecas, kbidarka, sthirugn
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-11 12:22:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Hutař 2014-08-06 14:18:27 UTC 
Description of problem:
There are various SELinux AVCs when installing capsule


Version-Release number of selected component (if applicable):
  Compose:
    Satellite-6.0.4-RHEL-7-20140730.0
  Packages:
    candlepin-selinux-0.9.19-1.el7.noarch
    foreman-selinux-1.6.0.4-1.el7sat.noarch
    pulp-selinux-2.4.0-0.23.beta.el7sat.noarch
    selinux-policy-targeted-3.12.1-153.el7.noarch


How reproducible:
1 of 1


Steps to Reproduce:
1. # katello-installer --foreman-admin-email '<email>' --foreman-admin-username '<user>' --foreman-admin-password '<pass>'
2. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip29> --capsule-dns-forwarders <ip19> --capsule-dns-forwarders <ip160>  --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false


Actual results:
time->Wed Aug  6 08:04:52 2014
type=SYSCALL msg=audit(1407326692.817:387): arch=c000003e syscall=4 success=yes exit=0 a0=7f0548002ed8 a1=7f0548002e20 a2=7f0548002e20 a3=0 items=0 ppid=12633 pid=12646 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1407326692.817:387): avc:  denied  { getattr } for  pid=12646 comm="PassengerHelper" path="/run/foreman/restart.txt" dev="tmpfs" ino=152808 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Aug  6 08:04:52 2014
type=SYSCALL msg=audit(1407326692.817:388): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=700000014 a3=a26c90 items=0 ppid=12633 pid=12646 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1407326692.817:388): avc:  denied  { block_suspend } for  pid=12646 comm="PassengerHelper" capability=36  scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2
----
time->Wed Aug  6 08:04:52 2014
type=SYSCALL msg=audit(1407326692.887:389): arch=c000003e syscall=4 success=yes exit=0 a0=7f66fcb071f0 a1=7f670bad5060 a2=7f670bad5060 a3=7f671dbd43e0 items=0 ppid=16036 pid=16938 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1407326692.887:389): avc:  denied  { getattr } for  pid=16938 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=172577 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Aug  6 08:04:52 2014
type=SYSCALL msg=audit(1407326692.887:390): arch=c000003e syscall=2 success=yes exit=17 a0=7f66fcb071f0 a1=0 a2=1b6 a3=0 items=0 ppid=16036 pid=16938 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1407326692.887:390): avc:  denied  { open } for  pid=16938 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=172577 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1407326692.887:390): avc:  denied  { read } for  pid=16938 comm="ruby" name="entries_per_page" dev="tmpfs" ino=172577 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Wed Aug  6 08:04:52 2014
type=SYSCALL msg=audit(1407326692.887:391): arch=c000003e syscall=16 success=no exit=-25 a0=11 a1=5401 a2=7f670bad4ea0 a3=0 items=0 ppid=16036 pid=16938 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1407326692.887:391): avc:  denied  { ioctl } for  pid=16938 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=172577 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


Expected results:
No AVCs should be logged
Comment 2 Lukas Zapletal 2014-08-27 13:46:17 UTC 
With latest snap and build I don't see any problems, except the following harmless denial which is a file handler leak in puppet (we will mask this denial for Satellite 6.1):

time->Wed Aug 27 09:15:56 2014
type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1409145356.680:172): avc:  denied  { write } for  pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

foreman-selinux-1.6.0.9-1.el6sat.noarch

Putting this to ON_QA.

If this fails verification, please provide:

getenforce

semodule -l | grep foreman

ps axuwZ

ausearch -m AVC -m USER_AVC

foreman-selinux-relabel -nv
Comment 3 Lukas Zapletal 2014-08-27 13:56:09 UTC 
*** Bug 1111567 has been marked as a duplicate of this bug. ***
Comment 4 Kedar Bidarkar 2014-09-03 09:38:25 UTC 
Tested with Sat6-GA-snap7 on RHEL7.

No SELinux AVCs seen when installing capsule.



Installed Packages

    candlepin-0.9.23-1.el7.noarch
    candlepin-common-1.0.1-1.el7.noarch
    candlepin-guice-3.0-2_redhat_1.el7.noarch
    candlepin-scl-1-5.el7.noarch
    candlepin-scl-quartz-2.1.5-6.el7.noarch
    candlepin-scl-rhino-1.7R3-3.el7.noarch
    candlepin-scl-runtime-1-5.el7.noarch
    candlepin-selinux-0.9.23-1.el7.noarch
    candlepin-tomcat-0.9.23-1.el7.noarch
    elasticsearch-0.90.10-6.el7sat.noarch
    katello-1.5.0-30.el7sat.noarch
    katello-certs-tools-1.5.6-1.el7sat.noarch
    katello-default-ca-1.0-1.noarch
    katello-installer-0.0.64-1.el7sat.noarch
    katello-server-ca-1.0-1.noarch
    pulp-katello-0.3-4.el7sat.noarch
    pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
    pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
    pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
    pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
    pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
    pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
    pulp-server-2.4.1-0.5.rc1.el7sat.noarch
    python-gofer-qpid-1.3.0-1.el7sat.noarch
    python-isodate-0.5.0-1.pulp.el7sat.noarch
    python-kombu-3.0.15-12.pulp.el7sat.noarch
    python-pulp-bindings-2.4.1-0.5.rc1.el7sat.noarch
    python-pulp-common-2.4.1-0.5.rc1.el7sat.noarch
    python-pulp-puppet-common-2.4.1-0.5.rc1.el7sat.noarch
    python-pulp-rpm-common-2.4.1-0.6.beta.el7sat.noarch
    python-qpid-0.22-15.el7.noarch
    python-qpid-qmf-0.22-37.el7.x86_64
    qpid-cpp-client-0.22-42.el7.x86_64
    qpid-cpp-server-0.22-42.el7.x86_64
    qpid-cpp-server-linearstore-0.22-42.el7.x86_64
    qpid-java-client-0.22-7.el7.noarch
    qpid-java-common-0.22-7.el7.noarch
    qpid-proton-c-0.7-2.el7.x86_64
    qpid-qmf-0.22-37.el7.x86_64
    qpid-tools-0.22-13.el7.noarch
    ruby193-rubygem-katello-1.5.0-86.el7sat.noarch
    rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
    rubygem-smart_proxy_pulp-1.0.1-1.1.el7sat.noarch


[root@zzzz ~]# rpm -qav | grep -i selinux
selinux-policy-targeted-3.12.1-153.el7.noarch
pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
candlepin-selinux-0.9.23-1.el7.noarch
selinux-policy-3.12.1-153.el7.noarch
libselinux-2.2.2-6.el7.x86_64
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-utils-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
foreman-selinux-1.6.0.14-1.el7sat.noarch
Comment 5 Bryan Kearney 2014-09-11 12:22:47 UTC 
This was delivered with Satellite 6.0 which was released on 10 September 2014.