Bug 1129094
Summary: | SELinux AVCs when installing on RHEL 6.6 | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Jan Hutař <jhutar> |
Component: | SELinux | Assignee: | Jason Montleon <jmontleo> |
Status: | CLOSED ERRATA | QA Contact: | Tazim Kolhar <tkolhar> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0.3 | CC: | cwelton, jmontleo, sthirugn |
Target Milestone: | Unspecified | ||
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | http://projects.theforeman.org/issues/7051 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-12 05:14:03 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1127773 | ||
Bug Blocks: |
Description
Jan Hutař
2014-08-12 08:48:22 UTC
The following denials allow passenger_t foreman_log_t:dir { write add_name }; allow passenger_t foreman_log_t:file create; will be fixed here http://projects.theforeman.org/issues/7036 For this one: allow passenger_t puppet_etc_t:file { execute execute_no_trans }; we need to make sure foreman.spec contains foreman-selinux dependency. JASON: To fix the latter, please cherry pick those two patches in the packaging repo (the SPEC file): https://github.com/theforeman/foreman-packaging/pull/296/files https://github.com/theforeman/foreman-packaging/pull/300/files Moving to POST since upstream bug http://projects.theforeman.org/issues/7036 has been closed ------------- Lukas Zapletal https://github.com/theforeman/foreman-selinux/pull/26 ------------- Anonymous Applied in changeset commit:e842477295ed731377f3f43c5b8f84634b6f47a2. https://github.com/Katello/katello-installer/pull/99 is also needed VERIFIED: *** This bug is verified in upstream. This fix should eventually land in future downstream builds *** Version Tested: # rpm -qa | grep foreman foreman-compute-1.8.0-0.develop.201412040955git563fa28.el7.noarch ruby193-rubygem-foreman_discovery-1.4.1-1.el7.noarch foreman-selinux-1.8.0-0.develop.201411281557gitf4a857f.el7.noarch foreman-libvirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch ruby193-rubygem-foreman_bootdisk-4.0.2-1.el7.noarch rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410git163c264.git.0.988ca80.el7.noarch foreman-ovirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7.noarch foreman-postgresql-1.8.0-0.develop.201412040955git563fa28.el7.noarch foreman-gce-1.8.0-0.develop.201412040955git563fa28.el7.noarch foreman-vmware-1.8.0-0.develop.201412040955git563fa28.el7.noarch ruby193-rubygem-foreman-tasks-0.6.9-1.el7.noarch foreman-proxy-1.8.0-0.develop.201411261259git6ddd00d.el7.noarch ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch ruby193-rubygem-foreman_docker-0.2.0-2.el7.noarch rubygem-hammer_cli_foreman-0.1.3-1.201411121216git9381fc5.el7.noarch foreman-1.8.0-0.develop.201412040955git563fa28.el7.noarch ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-client-1.0-1.noarch foreman-release-1.8.0-0.develop.201412040955git563fa28.el7.noarch # katello-installer --interactive Welcome to the Kafo installer! ------------------------------ This wizard will gather all required information. You can change any parameter to your needs. Ready to start? (y/n) y Main Config Menu 1. [n] Configure foreman_plugin_templates 2. [y] Configure foreman_plugin_bootdisk 3. [y] Configure certs 4. [y] Configure foreman_plugin_hooks 5. [y] Configure foreman_plugin_discovery 6. [y] Configure foreman 7. [n] Configure foreman_plugin_puppetdb 8. [n] Configure foreman_plugin_default_hostgroup 9. [y] Configure capsule 10. [n] Configure foreman_plugin_setup 11. [y] Configure katello 12. [n] Configure foreman_plugin_chef 13. [y] Configure foreman_plugin_tasks 14. Display current config 15. Save and run 16. Cancel run without Saving Choose an option from the menu... Ambiguous choice. Please choose one of [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]. ? 15 Installing Info: START 533 [0%] [Installing Debug: /Stage[main]/Certs::Pulp_parent/File[/etc/p [0%] [Installing Debug: /Stage[main]/Apache::Mod::Cgi/Apache::Mod[c [0%] [Installing Debug: /Stage[main]/Certs::Candlepin/File[/usr/sha [0%] [Installing Debug: /Stage[main]/Apache/before: requires Anchor [0%] [Installing Debug: /Stage[main]/Certs::Foreman/Pubkey[/etc/for [0%] [Installing Debug: /Stage[main]/Foreman::Config/Concat_build[f [0%] [Installing Debug: /Stage[main]/Certs::Qpid/File[/etc/pki/kate [0%] [Installing Info: Applying configuration version '1417785305' [0%] [Installing Debug: Executing '/bin/rpm -qa --nosignature --nod [0%] [Installing Info: RESOURCE Package[mongodb_client] [0%] [Installing Info: RESOURCE Apache::Mod[auth_basic] [3%] [Installing Info: RESOURCE Ca[katello-default-ca] [10%] Installing Info: RESOURCE Ca[katello-server-ca] [10%] Installing Info: RESOURCE Apache::Vhost[default-ssl] [14%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [19%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [21%] Installing Info: RESOURCE Package[httpd] [23%] Installing Info: RESOURCE File[usertrack.load] [29%] Installing Info: RESOURCE File[passenger.load] [36%] Installing Debug: /Stage[main]/Postgresql::Server::Config/Pos [40%] Installing Info: RESOURCE Postgresql_conf[data_directory] [41%] Installing Debug: /Stage[main]/Postgresql::Server::Config/Con [42%] Installing Debug: Executing '/sbin/chkconfig elasticsearch' [45%] Installing Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing Info: RESOURCE Exec[concat_/etc/candlepin/candlepi [53%] Installing Debug: /File[/var/lib/puppet/concat/_etc_httpd_con [55%] Installing Info: RESOURCE File[authz_host.load] [60%] Installing Info: RESOURCE Pubkey[/etc/pki/katello/certs/katel [63%] Installing Info: RESOURCE File[/var/lib/puppet/concat/_var_li [63%] Installing Info: RESOURCE Exec[concat_/var/lib/pgsql/data/pg_ [67%] Installing Debug: Augeas[override PGPORT in /etc/sysconfig/pg [68%] Installing Info: RESOURCE Service[postgresqld] [69%] Installing Debug: /Stage[main]/Postgresql::Server::Service/Po [69%] Installing Debug: /Stage[main]/Candlepin::Database::Postgresq [70%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing Debug: /Stage[main]/Candlepin::Database::Postgresq [72%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing Debug: /Stage[main]/Candlepin::Database::Postgresq [74%] Installing Debug: Executing '/sbin/chkconfig mongod' [76%] Installing Info: RESOURCE Service[mongodb] [76%] Installing Info: RESOURCE File[dav_fs.conf] [78%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing Info: RESOURCE Postgresql_psql[UPDATE pg_database [79%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [80%] Installing Debug: /File[/etc/httpd/conf.d/negotiation.conf]/s [86%] Installing Debug: /File[/etc/httpd/conf.d/ssl.load]/seluser: [86%] Installing Debug: /File[/etc/httpd/conf.d/autoindex.load]/sel [86%] Installing Debug: /File[/etc/httpd/conf.d/mime.conf]/seluser: [86%] Installing Debug: /File[/etc/httpd/conf.d/alias.load]/seltype [86%] Installing Info: RESOURCE File[/etc/crane.conf] [87%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [88%] Installing Info: RESOURCE Exec[concat_/etc/httpd/conf/ports.c [93%] Installing Info: RESOURCE File[/etc/sysconfig/foreman] [95%] Installing Info: RESOURCE File[/usr/share/foreman/public] [97%] Installing Info: RESOURCE Foreman_config_entry[db_pending_mig [99%] Installing Debug: Executing '/sbin/chkconfig puppetmaster' [99%] Installing Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing Debug: Executing '/sbin/chkconfig foreman-proxy' [99%] Installing Info: RESOURCE Service[foreman-proxy] [99%] Installing Info: RESOURCE File[/etc/httpd/conf.d/05-foreman-s [99%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing Info: RESOURCE Cert[java-client] [99%] Installing Debug: Executing '/sbin/chkconfig qpidd' [99%] Installing Debug: /Stage[main]/Certs::Candlepin/Exec[create c [99%] Installing Debug: /Stage[main]/Certs::Candlepin/Exec[import c [99%] Installing Notice: /Stage[main]/Certs::Candlepin/Exec[import [99%] Installing Debug: Executing '/sbin/chkconfig tomcat6' [99%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing Info: RESOURCE File[/etc/pulp/server.conf] [99%] Installing Info: RESOURCE Exec[selinux_pulp_manage_puppet] [99%] Installing Debug: Executing '/sbin/chkconfig pulp_celerybeat' [99%] Installing Debug: Executing '/sbin/chkconfig pulp_resource_ma [99%] Installing Info: RESOURCE Service[pulp_workers] [99%] Installing Debug: Exec[create katello entitlments queue](prov [99%] Installing Debug: /Stage[main]/Katello::Qpid/Exec[create kate [99%] Installing Debug: /Stage[main]/Katello::Qpid/Exec[bind katell [99%] Installing Notice: /Stage[main]/Katello::Qpid/Exec[bind katel [99%] Installing Debug: Executing '/sbin/chkconfig foreman-tasks' [99%] Installing Info: RESOURCE Service[foreman-tasks] [99%] Installing Info: RESOURCE Package[ruby193-rubygem-foreman_dis [99%] Installing Debug: Executing '/sbin/chkconfig foreman' [99%] Installing Debug: /Stage[main]/Certs::Foreman/Exec[foreman_ce [99%] Installing Info: RESOURCE Foreman_smartproxy[qe-foreman-rhel6 [99%] Installing Debug: Stored state in 0.07 seconds [99%] Installing Done [100%]Installing Done [100%] [] Success! * Katello is running at https://qe-foreman-rhel66.usersys.redhat.com Initial credentials are admin / vhjCUh3XA23atXZp * Capsule is running at https://qe-foreman-rhel66.usersys.redhat.com:9090 * To install additional capsule on separate machine continue by running:" capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar "~/$CAPSULE-certs.tar" The full log is at /var/log/katello-installer/katello-installer.log No AVCs at all # cat /var/log/audit/audit.log | audit2allow This bug is slated to be released with Satellite 6.1. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592 |