Bug 1129094

Summary: SELinux AVCs when installing on RHEL 6.6
Product: Red Hat Satellite Reporter: Jan Hutař <jhutar>
Component: SELinuxAssignee: Jason Montleon <jmontleo>
Status: CLOSED ERRATA QA Contact: Tazim Kolhar <tkolhar>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.3CC: cwelton, jmontleo, sthirugn
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/7051
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:14:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1127773    
Bug Blocks:    

Description Jan Hutař 2014-08-12 08:48:22 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. # yum install -y katello foreman-libvirt foreman-ovirt foreman-compute foreman-vmware
2. # katello-installer --interactive   # but used all the defaults there


Actual results:
# cat /var/log/audit/audit.log | audit2allow 


#============= passenger_t ==============
#!!!! The source type 'passenger_t' can write to a 'dir' of the following types:
# puppet_var_lib_t, passenger_tmp_t, passenger_log_t, passenger_var_lib_t, passenger_var_run_t, mnt_t, tmp_t, puppet_log_t, var_run_t, var_log_t, cluster_conf_t, foreman_var_run_t, httpd_tmp_t, cluster_var_lib_t, cluster_var_run_t, foreman_lib_t, root_t

allow passenger_t foreman_log_t:dir { write add_name };
allow passenger_t foreman_log_t:file create;
allow passenger_t puppet_etc_t:file { execute execute_no_trans };
allow passenger_t self:process execmem;

#============= prelink_mask_t ==============
allow prelink_mask_t lib_t:file { relabelto unlink };
allow prelink_mask_t postfix_public_t:fifo_file { read write };
allow prelink_mask_t qpidd_var_lib_t:file write;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;


Expected results:
No AVCs at all although I do understand these prelink ones are probably not Satellite 6 business - do not know.

Comment 4 Lukas Zapletal 2014-08-12 09:18:48 UTC
The following denials

allow passenger_t foreman_log_t:dir { write add_name };
allow passenger_t foreman_log_t:file create;

will be fixed here

http://projects.theforeman.org/issues/7036

For this one:

allow passenger_t puppet_etc_t:file { execute execute_no_trans };

we need to make sure foreman.spec contains foreman-selinux dependency.

JASON: To fix the latter, please cherry pick those two patches in the packaging repo (the SPEC file):

https://github.com/theforeman/foreman-packaging/pull/296/files
https://github.com/theforeman/foreman-packaging/pull/300/files

Comment 5 Bryan Kearney 2014-08-12 16:04:57 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/7036 has been closed
-------------
Lukas Zapletal
https://github.com/theforeman/foreman-selinux/pull/26
-------------
Anonymous
Applied in changeset commit:e842477295ed731377f3f43c5b8f84634b6f47a2.

Comment 6 Jason Montleon 2014-08-12 19:06:52 UTC
https://github.com/Katello/katello-installer/pull/99 is also needed

Comment 9 Tazim Kolhar 2014-12-05 13:21:32 UTC
VERIFIED:


*** This bug is verified in upstream. This fix should eventually land in future downstream builds ***
Version Tested:

# rpm -qa | grep foreman
foreman-compute-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_discovery-1.4.1-1.el7.noarch
foreman-selinux-1.8.0-0.develop.201411281557gitf4a857f.el7.noarch
foreman-libvirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2-1.el7.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410git163c264.git.0.988ca80.el7.noarch
foreman-ovirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7.noarch
foreman-postgresql-1.8.0-0.develop.201412040955git563fa28.el7.noarch
foreman-gce-1.8.0-0.develop.201412040955git563fa28.el7.noarch
foreman-vmware-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman-tasks-0.6.9-1.el7.noarch
foreman-proxy-1.8.0-0.develop.201411261259git6ddd00d.el7.noarch
ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_docker-0.2.0-2.el7.noarch
rubygem-hammer_cli_foreman-0.1.3-1.201411121216git9381fc5.el7.noarch
foreman-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-client-1.0-1.noarch
foreman-release-1.8.0-0.develop.201412040955git563fa28.el7.noarch


# katello-installer --interactive
Welcome to the Kafo installer!
------------------------------

This wizard will gather all required information. You can change any parameter
to your needs.


Ready to start? (y/n)
y

Main Config Menu
1. [n] Configure foreman_plugin_templates
2. [y] Configure foreman_plugin_bootdisk
3. [y] Configure certs
4. [y] Configure foreman_plugin_hooks
5. [y] Configure foreman_plugin_discovery
6. [y] Configure foreman
7. [n] Configure foreman_plugin_puppetdb
8. [n] Configure foreman_plugin_default_hostgroup
9. [y] Configure capsule
10. [n] Configure foreman_plugin_setup
11. [y] Configure katello
12. [n] Configure foreman_plugin_chef
13. [y] Configure foreman_plugin_tasks
14. Display current config
15. Save and run
16. Cancel run without Saving
Choose an option from the menu... 
Ambiguous choice.  Please choose one of [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15, 16].
?  15
Installing             Info: START 533                                    [0%] [Installing             Debug: /Stage[main]/Certs::Pulp_parent/File[/etc/p [0%] [Installing             Debug: /Stage[main]/Apache::Mod::Cgi/Apache::Mod[c [0%] [Installing             Debug: /Stage[main]/Certs::Candlepin/File[/usr/sha [0%] [Installing             Debug: /Stage[main]/Apache/before: requires Anchor [0%] [Installing             Debug: /Stage[main]/Certs::Foreman/Pubkey[/etc/for [0%] [Installing             Debug: /Stage[main]/Foreman::Config/Concat_build[f [0%] [Installing             Debug: /Stage[main]/Certs::Qpid/File[/etc/pki/kate [0%] [Installing             Info: Applying configuration version '1417785305'  [0%] [Installing             Debug: Executing '/bin/rpm -qa --nosignature --nod [0%] [Installing             Info: RESOURCE Package[mongodb_client]             [0%] [Installing             Info: RESOURCE Apache::Mod[auth_basic]             [3%] [Installing             Info: RESOURCE Ca[katello-default-ca]              [10%] Installing             Info: RESOURCE Ca[katello-server-ca]               [10%] Installing             Info: RESOURCE Apache::Vhost[default-ssl]          [14%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [19%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [21%] Installing             Info: RESOURCE Package[httpd]                      [23%] Installing             Info: RESOURCE File[usertrack.load]                [29%] Installing             Info: RESOURCE File[passenger.load]                [36%] Installing             Debug: /Stage[main]/Postgresql::Server::Config/Pos [40%] Installing             Info: RESOURCE Postgresql_conf[data_directory]     [41%] Installing             Debug: /Stage[main]/Postgresql::Server::Config/Con [42%] Installing             Debug: Executing '/sbin/chkconfig elasticsearch'   [45%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing             Info: RESOURCE Exec[concat_/etc/candlepin/candlepi [53%] Installing             Debug: /File[/var/lib/puppet/concat/_etc_httpd_con [55%] Installing             Info: RESOURCE File[authz_host.load]               [60%] Installing             Info: RESOURCE Pubkey[/etc/pki/katello/certs/katel [63%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_var_li [63%] Installing             Info: RESOURCE Exec[concat_/var/lib/pgsql/data/pg_ [67%] Installing             Debug: Augeas[override PGPORT in /etc/sysconfig/pg [68%] Installing             Info: RESOURCE Service[postgresqld]                [69%] Installing             Debug: /Stage[main]/Postgresql::Server::Service/Po [69%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [70%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [72%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [74%] Installing             Debug: Executing '/sbin/chkconfig mongod'          [76%] Installing             Info: RESOURCE Service[mongodb]                    [76%] Installing             Info: RESOURCE File[dav_fs.conf]                   [78%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing             Info: RESOURCE Postgresql_psql[UPDATE pg_database  [79%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [80%] Installing             Debug: /File[/etc/httpd/conf.d/negotiation.conf]/s [86%] Installing             Debug: /File[/etc/httpd/conf.d/ssl.load]/seluser:  [86%] Installing             Debug: /File[/etc/httpd/conf.d/autoindex.load]/sel [86%] Installing             Debug: /File[/etc/httpd/conf.d/mime.conf]/seluser: [86%] Installing             Debug: /File[/etc/httpd/conf.d/alias.load]/seltype [86%] Installing             Info: RESOURCE File[/etc/crane.conf]               [87%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [88%] Installing             Info: RESOURCE Exec[concat_/etc/httpd/conf/ports.c [93%] Installing             Info: RESOURCE File[/etc/sysconfig/foreman]        [95%] Installing             Info: RESOURCE File[/usr/share/foreman/public]     [97%] Installing             Info: RESOURCE Foreman_config_entry[db_pending_mig [99%] Installing             Debug: Executing '/sbin/chkconfig puppetmaster'    [99%] Installing             Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing             Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing             Debug: Executing '/sbin/chkconfig foreman-proxy'   [99%] Installing             Info: RESOURCE Service[foreman-proxy]              [99%] Installing             Info: RESOURCE File[/etc/httpd/conf.d/05-foreman-s [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE Cert[java-client]                   [99%] Installing             Debug: Executing '/sbin/chkconfig qpidd'           [99%] Installing             Debug: /Stage[main]/Certs::Candlepin/Exec[create c [99%] Installing             Debug: /Stage[main]/Certs::Candlepin/Exec[import c [99%] Installing             Notice: /Stage[main]/Certs::Candlepin/Exec[import  [99%] Installing             Debug: Executing '/sbin/chkconfig tomcat6'         [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE File[/etc/pulp/server.conf]         [99%] Installing             Info: RESOURCE Exec[selinux_pulp_manage_puppet]    [99%] Installing             Debug: Executing '/sbin/chkconfig pulp_celerybeat' [99%] Installing             Debug: Executing '/sbin/chkconfig pulp_resource_ma [99%] Installing             Info: RESOURCE Service[pulp_workers]               [99%] Installing             Debug: Exec[create katello entitlments queue](prov [99%] Installing             Debug: /Stage[main]/Katello::Qpid/Exec[create kate [99%] Installing             Debug: /Stage[main]/Katello::Qpid/Exec[bind katell [99%] Installing             Notice: /Stage[main]/Katello::Qpid/Exec[bind katel [99%] Installing             Debug: Executing '/sbin/chkconfig foreman-tasks'   [99%] Installing             Info: RESOURCE Service[foreman-tasks]              [99%] Installing             Info: RESOURCE Package[ruby193-rubygem-foreman_dis [99%] Installing             Debug: Executing '/sbin/chkconfig foreman'         [99%] Installing             Debug: /Stage[main]/Certs::Foreman/Exec[foreman_ce [99%] Installing             Info: RESOURCE Foreman_smartproxy[qe-foreman-rhel6 [99%] Installing             Debug: Stored state in 0.07 seconds                [99%] Installing             Done                                               [100%]Installing             Done                                               [100%] []
  Success!
  * Katello is running at https://qe-foreman-rhel66.usersys.redhat.com
      Initial credentials are admin / vhjCUh3XA23atXZp
  * Capsule is running at https://qe-foreman-rhel66.usersys.redhat.com:9090
  * To install additional capsule on separate machine continue by running:"

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"

  The full log is at /var/log/katello-installer/katello-installer.log

No AVCs at all
# cat /var/log/audit/audit.log | audit2allow

Comment 10 Bryan Kearney 2015-08-11 13:35:13 UTC
This bug is slated to be released with Satellite 6.1.

Comment 11 errata-xmlrpc 2015-08-12 05:14:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592