Bug 1522766

Summary: Passenger cannot communicate to Puppet Master via TCP
Product: Red Hat Satellite Reporter: Lukas Zapletal <lzap>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: bbuckingham, brubisch, dlobatog, ehelms, ekohlvan, lpramuk, lzap, peter.vreman, zhunting
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/21887
Whiteboard:
Fixed In Version: foreman-selinux-1.15.6.1-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832, 1533259    

Description Lukas Zapletal 2017-12-06 12:08:07 UTC 
Standard install:

type=AVC msg=audit(1512555818.157:6078): avc:  denied  { name_connect } for  pid=21628 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

Easy fix.
Comment 5 Lukas Zapletal 2017-12-11 12:49:05 UTC 
Peter, I already have the patch ready, but can you tell me when this happens? I haven't seen this myself on my system.
Comment 6 Peter Vreman 2017-12-11 13:00:26 UTC 
Lukas,


It happens every time with 'systemctl reload httpd', e.g. also with a weekly logroation

Below is output of a manual systemctl reload httpd:

-----------
[Mon Dec 11 12:55:08.377262 2017] [mpm_prefork:notice] [pid 11197] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5 Phusion_Passenger/4.0.18 configured -- resuming normal operations
[Mon Dec 11 12:55:08.377307 2017] [core:notice] [pid 11197] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[ 2017-12-11 12:55:10.3851 11228/7fc2bd39f700 Pool2/Spawner.h:738 ]: [App 11442 stdout]
[ 2017-12-11 12:55:14.3358 11228/7fc2bd39f700 Pool2/Spawner.h:738 ]: [App 11442 stdout] API controllers newer than Apipie cache! Run apipie:cache rake task to regenerate cache.
[ 2017-12-11 12:55:32.4247 11228/7fc2bd39f700 Pool2/SmartSpawner.h:301 ]: Preloader for /usr/share/foreman started on PID 11442, listening on unix:/var/run/rubygem-passenger/passenger.1.0.11197/generation-1/backends/preloader.11475
/usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `initialize': Permission denied - connect(2) (Errno::EACCES)
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `new'
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `connect'
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:112:in `connect'
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:86:in `socket'
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:90:in `head_request'
        from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:145:in `<main>'
-----------
Comment 7 Peter Vreman 2017-12-11 13:01:47 UTC 
Note: i run puppet master also the Sat6 server itself.
It might also be an issue on a Capsule, but did not test a capsule with 6.3 yet
Comment 8 Ewoud Kohl van Wijngaarden 2017-12-11 13:08:21 UTC 
It looks like this is the preloader to start up instances on service startup rather than on first client.

@Peter: can you confirm this by (temporarily) removing the PassengerPreStart from the puppet vhosts.
Comment 9 Lukas Zapletal 2017-12-11 14:07:57 UTC 
QA: Happens during restart, to VERIFY please restart httpd service and check for denials.

Thanks Ewoud, I thought this is some feature of Foreman itself and it is just this :-)
Comment 10 Satellite Program 2017-12-19 11:03:40 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21887 has been resolved.
Comment 14 Lukas Pramuk 2018-01-08 14:14:37 UTC 
VERIFIED.

@satellite-6.3.0-23.0.el7sat.noarch
foreman-selinux-1.15.6.1-1.el7sat.noarch

by manual reproducer based on comment#9

1. # service httpd restart

2. # tail -0f /var/log/audit/audit.log

REPRO (older snap):
type=SERVICE_STOP msg=audit(1515415463.229:10256): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1515415463.432:10257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1515415517.153:10258): avc:  denied  { name_connect } for  pid=22665 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

vs.

FIX:
type=SERVICE_STOP msg=audit(1515420604.858:10571): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1515420605.083:10572): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

>>> there is no more avc denial during/after httpd service restart
Comment 15 Satellite Program 2018-02-21 16:54:37 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336