Bug 1004742 - SELinux error when starting openshift-broker on F19
SELinux error when starting openshift-broker on F19
Status: CLOSED NOTABUG
Product: OpenShift Origin
Classification: Red Hat
Component: Pod (Show other bugs)
2.x
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Krishna Raman
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-05 07:45 EDT by Michal Fojtik
Modified: 2015-05-14 22:20 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-29 10:24:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Fojtik 2013-09-05 07:45:49 EDT
Description of problem:

The openshift-broker server won't start on the latest F19 due to AVC denials.
To confirm this is a SELinux issue I tried to start it under permissive mode and it works fine.

Version-Release number of selected component (if applicable):

Origin installed using the openshift-puppet module.

How reproducible:

Install OpenShift Origin on updated F19 with enabled selinux using:

$ puppet module install openshift/openshift_origin
 
Actual results:

[Thu Sep 05 11:23:52.887124 2013] [core:notice] [pid 2216] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[ pid=2217 thr=140690826508096 file=ext/common/AgentBase.cpp:419 time=2013-09-05 11:23:52.890 ]: *** ERROR: Unexpected end-of-file encountered
     in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140)
     in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355)

[Thu Sep 05 11:23:52.899706 2013] [passenger:error] [pid 2216] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1
[ pid=2220 thr=140649429509952 file=ext/common/AgentBase.cpp:419 time=2013-09-05 11:23:52.910 ]: *** ERROR: Unexpected end-of-file encountered
     in 'void Passenger::VariantMap::readFrom(int)' (VariantMap.h:140)
     in 'Passenger::VariantMap Passenger::initializeAgent(int, char**, const char*)' (AgentBase.cpp:355)

[Thu Sep 05 11:23:52.919720 2013] [passenger:error] [pid 2219] *** Passenger could not be initialized because of this error: Unable to start the Phusion Passenger watchdog: it seems to have crashed during startup for an unknown reason, with exit code 1

When starting in permissive mode I got these denials:

type=SERVICE_STOP msg=audit(1378380755.753:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="openshift-broker" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1378380755.803:284): avc:  denied  { getattr } for  pid=4253 comm="ruby-mri" path="socket:[34280]" dev="sockfs" ino=34280 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1378380755.803:284): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fff14621e20 a2=7fff14621e20 a3=7fff14621bd0 items=0 ppid=4251 pid=4253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380755.806:285): avc:  denied  { write } for  pid=4247 comm="httpd" name="socket" dev="tmpfs" ino=34367 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:passenger_tmp_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1378380755.806:285): arch=c000003e syscall=42 success=yes exit=0 a0=8 a1=7fff990e31e0 a2=6e a3=69746172656e6567 items=0 ppid=1 pid=4247 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1378380755.808:286): avc:  denied  { ioctl } for  pid=4253 comm="ruby-mri" path="socket:[34280]" dev="sockfs" ino=34280 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1378380755.808:286): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fff14621c70 a3=19661f8 items=0 ppid=4251 pid=4253 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=SERVICE_START msg=audit(1378380755.868:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="openshift-broker" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1378380758.036:288): avc:  denied  { name_connect } for  pid=4288 comm="ruby-mri" dest=8080 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1378380758.036:288): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=cdaa30 a2=10 a3=7fff5322bfd0 items=0 ppid=4251 pid=4288 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.489:289): avc:  denied  { append } for  pid=4295 comm="ruby-mri" name="development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1378380760.489:289): avc:  denied  { open } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.489:289): arch=c000003e syscall=2 success=yes exit=3 a0=37e5ee0 a1=80441 a2=1b6 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.489:290): avc:  denied  { getattr } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.489:290): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fff328fbe50 a2=7fff328fbe50 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.489:291): avc:  denied  { ioctl } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/development.log" dev="vda" ino=137112 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.489:291): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7fff328fbea0 a3=3 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.579:292): avc:  denied  { getattr } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.579:292): arch=c000003e syscall=4 success=yes exit=0 a0=37a8900 a1=7fff328fa820 a2=7fff328fa820 a3=7f9aee3a6ab0 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.580:293): avc:  denied  { append } for  pid=4295 comm="ruby-mri" name="user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=AVC msg=audit(1378380760.580:293): avc:  denied  { open } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.580:293): arch=c000003e syscall=2 success=yes exit=10 a0=37a8900 a1=80401 a2=1b6 a3=2 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380760.580:294): avc:  denied  { ioctl } for  pid=4295 comm="ruby-mri" path="/var/log/openshift/broker/user_action.log" dev="vda" ino=137114 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1378380760.580:294): arch=c000003e syscall=16 success=no exit=-25 a0=a a1=5401 a2=7fff328fa520 a3=2 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1378380761.618:295): avc:  denied  { name_connect } for  pid=4295 comm="ruby-mri" dest=27017 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:mongod_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1378380761.618:295): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=4b77cc0 a2=10 a3=7fff328f4600 items=0 ppid=4272 pid=4295 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)

Expected results:

[Thu Sep 05 11:32:35.780632 2013] [core:notice] [pid 4247] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Thu Sep 05 11:32:35.874130 2013] [mpm_prefork:notice] [pid 4266] AH00163: Apache/2.4.6 (Fedora) Phusion_Passenger/3.0.21 configured -- resuming normal operations
[Thu Sep 05 11:32:35.874167 2013] [core:notice] [pid 4266] AH00094: Command line: '/usr/sbin/httpd -C Include /var/www/openshift/broker/httpd/broker.conf -f /var/www/openshift/broker/httpd/httpd.conf'

Additional info:
Comment 1 Michal Fojtik 2013-10-29 10:24:49 EDT
This seems to be fixed automagically ;-) Closing this one.

Note You need to log in before you can comment on or make changes to this bug.