Bug 1670109
| Summary: | foreman-tasks won't start if SELinux is enforcing | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Avijit Roy <avroy> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | avroy, b.prins, dvoss, lzap, pcreech, smajumda, spetrosi, tonay |
| Target Milestone: | 6.7.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-14 13:23:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1795589 | ||
Works for me, can you narrow down it a bit?
What Foreman plugins are installed? Are there any unsupported plugins? They can cause asset recompilation which is causing this problem so please investigate carefully.
[root@sat64 ~]# rpm -q satellite
satellite-6.4.1-1.el7sat.noarch
[root@sat64 ~]# getenforce
Enforcing
[root@sat64 ~]# systemctl restart foreman-tasks
[root@sat64 ~]# ausearch -m AVC
<no matches>
[root@sat64 ~]# systemctl status foreman-tasks
● dynflowd.service - Foreman jobs daemon
Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2019-01-29 08:36:07 GMT; 16s ago
Docs: https://theforeman.org
Process: 3119 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/dynflowd.service
├─3165 dynflow_executor
└─3169 dynflow_executor_monitor
Created redmine issue https://projects.theforeman.org/issues/26951 from this bug Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved. This patch will also fix: https://bugzilla.redhat.com/show_bug.cgi?id=1541481 Sorry for the flags changes. This is scheduled into Satellite 6.7. FOR THE RECORD: Workaround A: semanage permissive passenger_t Workaround B: echo -n "module passenger-execmem 1.0;\nallow passenger_t self:process execmem;\n" > passenger-execmem.pp semodule -i passenger-execmem.pp Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved. VERIFIED.
@satellite-6.7.0-5.beta.el7sat.noarch
foreman-selinux-1.24.1-1.el7sat.noarch
by the following manual steps:
# getenforce
Enforcing
# service foreman-tasks restart
Redirecting to /bin/systemctl restart foreman-tasks.service
# service foreman-tasks status
Redirecting to /bin/systemctl status foreman-tasks.service
● dynflowd.service - Foreman jobs daemon
Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-01-29 11:01:42 EST; 6s ago
Docs: https://theforeman.org
Process: 18755 ExecStop=/usr/sbin/dynflowd stop (code=exited, status=0/SUCCESS)
Process: 18836 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
Tasks: 5
CGroup: /system.slice/dynflowd.service
├─18890 dynflow_executor
└─18891 dynflow_executor_monitor
Jan 29 11:01:35 satellite.example.com systemd[1]: Starting Foreman jobs daemon...
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: already initialized constant Foreman::UUID_REGEXP
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: previous definition of UUID_REGEXP was here
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: Dynflow Executor: start in progress
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:108: warning: conflicting chdir during another chdir block
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:75: warning: conflicting chdir during another chdir block
Jan 29 11:01:42 satellite.example.com dynflowd[18836]: dynflow_executor: process with pid 18890 started.
Jan 29 11:01:42 satellite.example.com systemd[1]: Started Foreman jobs daemon.
Hint: Some lines were ellipsized, use -l to show in full.
>>> foreman-tasks starts even with selinux enforcing
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1454 |
Description of problem: foreman-tasks won't start if SELinux is enforcing Version-Release number of selected component (if applicable): Satellite 6.4 How reproducible: Steps to Reproduce: If SELinux is set to enforce foreman-tasks won't start. The error from the audit.log follows. audit2why type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274 type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. audit2allow type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274 type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0 #============= passenger_t ============== allow passenger_t self:process execmem; Actual results: Expected results: Expected results: No AVCs should be reported Additional info: