Bug 1134543

Summary: Gem less-rails/therubyracer/v8 compiles assets on tasks startup (was: EXECMEM denial)
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: Subscription ManagementAssignee: Lukas Zapletal <lzap>
Status: CLOSED UPSTREAM QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: bbuckingham, bkearney, cwelton, ehelms, jhutar, katello-qa-list, lzap
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1112607 Environment:
Last Closed: 2016-02-01 14:54:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1112607, 1656716    
Bug Blocks:    

Description Lukas Zapletal 2014-08-27 18:08:12 UTC 
+++ This bug was initially created as a clone of Bug #1112607 +++

Description of problem:
There are some SELinux issues while running `katello-installer` like these: avc:  denied  { execmem/name_connect/write/read/connectto } for  ... comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0 ...

TL;DR

Foreman-tasks starts rails environment and it looks like less-rails:

https://github.com/Katello/katello/blob/master/engines/bastion/lib/bastion.rb#L2

starts therubyracer/v8 engine to do some javascript compilations which apparently does some memory executing tricks.

We have allowed this in SELinux for GA but for 6.1 we should investigate the root cause and prevent from compilation. This slows down the startup as we already ship everything compiled.
Comment 1 Lukas Zapletal 2014-08-27 18:09:02 UTC 
This is for 6.1 / Foreman Tasks / Katello.
Comment 3 Bryan Kearney 2014-08-27 20:04:16 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/7178 has been closed
-------------
Lukas Zapletal
Scratch that for RHEL7, after investigation from this evening with Jason and Og, it turns out it is not passenger but foreman-tasks what causes this denial. And it does not start without this.

We run foreman-tasks (dynflow process) in passenger_t because it boots whole foreman to do its work. We need to allow this rule.

It does work in RHEL6 but in RHEL7 it does not start. Permissive only gives this denial and enforcing stops tasks from coming up. Allowing this rule proceeds.

<pre>service foreman-tasks start
Redirecting to /bin/systemctl start  foreman-tasks.service
Job for foreman-tasks.service failed. See 'systemctl status foreman-tasks.service' and 'journalctl -xn' for details.
[root@el7-smoketest ~]# vi log
[root@el7-smoketest ~]# audit2allow -m passenger-execmem < log
 
module passenger-execmem 1.0;
 
require {
        type passenger_t;
        class process execmem;
}
 
#============= passenger_t ==============
allow passenger_t self:process execmem;
You have new mail in /var/spool/mail/root
[root@el7-smoketest ~]# audit2allow -M passenger-execmem < log
******************** IMPORTANT ***********************
To make this policy package active, execute:
 
semodule -i passenger-execmem.pp
 
[root@el7-smoketest ~]# semodule -i passenger-execmem.pp
[root@el7-smoketest ~]# getenforce
Enforcing
[root@el7-smoketest ~]# service foreman-tasks start
Redirecting to /bin/systemctl start  foreman-tasks.service
You have new mail in /var/spool/mail/root
[root@el7-smoketest ~]# cat log
type=AVC msg=audit(1408565585.751:711): avc:  denied  { execmem } for  pid=52386 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
[root@el7-smoketest ~]# systemctl status foreman-tasks
foreman-tasks.service - Foreman jobs daemon
   Loaded: loaded (/usr/lib/systemd/system/foreman-tasks.service; enabled)
   Active: active (running) since Wed 2014-08-20 16:22:15 EDT; 22s ago
     Docs: https://github.com/iNecas/foreman-tasks
  Process: 52738 ExecStop=/usr/bin/foreman-tasks stop (code=exited, status=134)
  Process: 54593 ExecStart=/usr/bin/foreman-tasks start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/foreman-tasks.service
           ├─54635 dynflow_executor
           └─54637 dynflow_executor_monitor
 
Aug 20 16:20:56 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ...
Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ...
Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ...
Aug 20 16:22:14 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ...
Aug 20 16:22:15 el7-smoketest.sat6.lab.eng.bos.redhat.com systemd[1]: Started Fo...
Hint: Some lines were ellipsized, use -l to show in full.</pre>
-------------
Anonymous
Applied in changeset commit:d867377e56451fc43030a30958499d34e6f4e485.
Comment 4 Lukas Zapletal 2014-08-28 13:30:44 UTC 
Corrected the wrong URL upstream link.
Comment 5 Bryan Kearney 2015-12-21 18:01:46 UTC 
Do we still need to track this?
Comment 6 Lukas Zapletal 2016-02-01 14:54:08 UTC 
No.