Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1047517

Summary: ruby-openstack-foreman-installer: Multiple AVC errors in /var/log/messages after finish running foreman_server.sh.
Product: Red Hat OpenStack Reporter: Omri Hochman <ohochman>
Component: foreman-selinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED WONTFIX QA Contact: Ami Jeain <ajeain>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: lzap, mburns, oblaut, ohochman, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: Installer   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-29 14:49:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
messages.log none

Description Omri Hochman 2013-12-31 13:45:33 UTC 
ruby-openstack-foreman-installer: Multiple AVC errors in /var/log/messages after finish running foreman_server.sh.

Environment (Puddle: 2013-12-20.1): 
------------
ruby193-openstack-foreman-installer-0.0.18-3.el6ost.x86_64
ruby193-foreman-selinux-1.2.10002-1.el6ost.noarch
libselinux-utils-2.0.94-5.3.el6_4.1.x86_64
libselinux-2.0.94-5.3.el6_4.1.x86_64
libselinux-python-2.0.94-5.3.el6_4.1.x86_64
selinux-policy-3.7.19-231.el6.noarch
selinux-policy-targeted-3.7.19-231.el6.noarch

Steps: 
--------
- Attempt to deploy foreman server using foreman_server.sh.

Results: 
----------
- Installation of foreman-server finished successfully . 
- AVCs Errors remain under /var/log/messages 

/var/log/messages (attached):
------------------------------
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.378:19): avc:  denied  { getattr } for  pid=8217 comm="ruby" path="/opt/rh/ruby193/root/var/lib/puppet/ssl/certs/puma39.scl.lab.tlv.
redhat.com.pem" dev=dm-0 ino=11797452 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.401:20): avc:  denied  { getattr } for  pid=8217 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=6946835 scontext=unconfined_u:system
_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.401:21): avc:  denied  { execute } for  pid=8217 comm="ruby" name="ifconfig" dev=dm-0 ino=6946835 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.406:22): avc:  denied  { read open } for  pid=9069 comm="sh" name="ifconfig" dev=dm-0 ino=6946835 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.406:23): avc:  denied  { execute_no_trans } for  pid=9069 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=6946835 scontext=unconfined_u
:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.407:24): avc:  denied  { read } for  pid=9069 comm="ifconfig" name="unix" dev=proc ino=4026532015 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.407:25): avc:  denied  { search } for  pid=9069 comm="ifconfig" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:obje
ct_r:sysctl_net_t:s0 tclass=dir
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.407:26): avc:  denied  { open } for  pid=9069 comm="ifconfig" name="dev" dev=proc ino=4026531987 scontext=unconfined_u:system_r:pass
enger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.407:27): avc:  denied  { getattr } for  pid=9069 comm="ifconfig" path="/proc/9069/net/dev" dev=proc ino=4026531987 scontext=unconfin
ed_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
Dec 31 15:27:23 puma39 kernel: type=1400 audit(1388496443.429:28): avc:  denied  { write } for  pid=8217 comm="ruby" name="yaml" dev=dm-0 ino=12190722 scontext=unconfined_u:system_r:passenge
r_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:27:33 puma39 puppet-master[8217]: Compiled catalog for puma39.scl.lab.tlv.redhat.com in environment production in 0.01 seconds
Dec 31 15:27:34 puma39 puppet-agent[8194]: Finished catalog run in 0.36 seconds
Dec 31 15:29:54 puma39 kernel: __ratelimit: 27 callbacks suppressed
Dec 31 15:29:54 puma39 kernel: type=1400 audit(1388496593.999:38): avc:  denied  { read } for  pid=9180 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0
 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:29:54 puma39 kernel: type=1400 audit(1388496593.999:39): avc:  denied  { open } for  pid=9180 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:29:59 puma39 kernel: type=1400 audit(1388496599.000:40): avc:  denied  { search } for  pid=9195 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 31 15:29:59 puma39 kernel: type=1400 audit(1388496599.000:41): avc:  denied  { read } for  pid=9195 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:29:54 puma39 kernel: type=1400 audit(1388496593.999:39): avc:  denied  { open } for  pid=9180 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:29:59 puma39 kernel: type=1400 audit(1388496599.000:40): avc:  denied  { search } for  pid=9195 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 31 15:29:59 puma39 kernel: type=1400 audit(1388496599.000:41): avc:  denied  { read } for  pid=9195 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:29:59 puma39 kernel: type=1400 audit(1388496599.000:42): avc:  denied  { open } for  pid=9195 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.001:43): avc:  denied  { name_bind } for  pid=8217 comm="ruby" src=62042 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.005:44): avc:  denied  { getattr } for  pid=8217 comm="ruby" path="/opt/rh/ruby193/root/var/lib/puppet/ssl/certs/puma39.scl.lab.tlv.redhat.com.pem" dev=dm-0 ino=11797452 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.005:45): avc:  denied  { read } for  pid=8217 comm="ruby" name="ca_crt.pem" dev=dm-0 ino=11797453 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.005:46): avc:  denied  { open } for  pid=8217 comm="ruby" name="ca_crt.pem" dev=dm-0 ino=11797453 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.005:47): avc:  denied  { ioctl } for  pid=8217 comm="ruby" path="/opt/rh/ruby193/root/var/lib/puppet/ssl/ca/ca_crt.pem" dev=dm-0 ino=11797453 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 puppet-master[8217]: puma01.scl.lab.tlv.redhat.com has a waiting certificate request
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.153:48): avc:  denied  { write } for  pid=8217 comm="ruby" name="requests" dev=dm-0 ino=12190723 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.153:49): avc:  denied  { add_name } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.pem" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.153:50): avc:  denied  { create } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.pem" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.153:51): avc:  denied  { write } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.pem" dev=dm-0 ino=12190726 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 kernel: type=1400 audit(1388496634.155:52): avc:  denied  { lock } for  pid=8217 comm="ruby" path="/opt/rh/ruby193/root/var/lib/puppet/ssl/ca/serial" dev=dm-0 ino=11797457 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:34 puma39 puppet-master[8217]: Signed certificate request for puma01.scl.lab.tlv.redhat.com
Dec 31 15:30:34 puma39 puppet-master[8217]: Removing file Puppet::SSL::CertificateRequest puma01.scl.lab.tlv.redhat.com at '/opt/rh/ruby193/root/var/lib/puppet/ssl/ca/requests/puma01.scl.lab.tlv.redhat.com.pem'
Dec 31 15:30:34 puma39 puppet-master[8217]: Failed to find puma01.scl.lab.tlv.redhat.com via exec: Execution of '/opt/rh/ruby193/root/etc/puppet/node.rb puma01.scl.lab.tlv.redhat.com' returned 1: 
Dec 31 15:30:51 puma39 kernel: __ratelimit: 12 callbacks suppressed
Dec 31 15:30:51 puma39 kernel: type=1400 audit(1388496651.538:57): avc:  denied  { create } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.yaml20131231-8217-1e68wed.lock" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:30:51 puma39 kernel: type=1400 audit(1388496651.538:58): avc:  denied  { rmdir } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.yaml20131231-8217-1e68wed.lock" dev=dm-0 ino=14942487 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:30:51 puma39 kernel: type=1400 audit(1388496651.538:59): avc:  denied  { setattr } for  pid=8217 comm="ruby" name="puma01.scl.lab.tlv.redhat.com.yaml20131231-8217-1e68wed" dev=dm-0 ino=14942488 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:30:52 puma39 puppet-master[8217]: Compiled catalog for puma01.scl.lab.tlv.redhat.com in environment production in 0.01 seconds
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.000:61): avc:  denied  { search } for  pid=9297 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.000:62): avc:  denied  { read } for  pid=9297 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.000:63): avc:  denied  { open } for  pid=9297 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.509:64): avc:  denied  { getattr } for  pid=8217 comm="ruby" path="/opt/rh/ruby193/root/var/lib/puppet/ssl/certs/puma39.scl.lab.tlv.redhat.com.pem" dev=dm-0 ino=11797452 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.514:65): avc:  denied  { write } for  pid=8217 comm="ruby" name="facts" dev=dm-0 ino=14942455 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.514:66): avc:  denied  { add_name } for  pid=8217 comm="ruby" name="puma02.scl.lab.tlv.redhat.com.yaml20131231-8217-1mlmqh2.lock" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.514:67): avc:  denied  { create } for  pid=8217 comm="ruby" name="puma02.scl.lab.tlv.redhat.com.yaml20131231-8217-1mlmqh2.lock" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=dir
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.515:68): avc:  denied  { create } for  pid=8217 comm="ruby" name="puma02.scl.lab.tlv.redhat.com.yaml20131231-8217-1mlmqh2" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:32:49 puma39 kernel: type=1400 audit(1388496769.515:69): avc:  denied  { read write open } for  pid=8217 comm="ruby" name="puma02.scl.lab.tlv.redhat.com.yaml20131231-8217-1mlmqh2" dev=dm-0 ino=14942498 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
Dec 31 15:32:50 puma39 puppet-master[8217]: Compiled catalog for puma02.scl.lab.tlv.redhat.com in environment production in 0.00 seconds
Dec 31 15:32:53 puma39 puppet-master[9307]: Config file /opt/rh/ruby193/root/etc/puppet/hiera.yaml not found, using Hiera defaults
Dec 31 15:32:55 puma39 kernel: __ratelimit: 51 callbacks suppressed
Dec 31 15:32:55 puma39 kernel: type=1400 audit(1388496775.427:87): avc:  denied  { getattr } for  pid=9307 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=6946895 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 31 15:32:55 puma39 kernel: type=1400 audit(1388496775.427:88): avc:  denied  { execute } for  pid=9307 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=6946895 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 31 15:32:55 puma39 kernel: type=1400 audit(1388496775.429:89): avc:  denied  { read open } for  pid=9336 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=6946895 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 31 15:32:55 puma39 kernel: type=1400 audit(1388496775.429:90): avc:  denied  { execute_no_trans } for  pid=9336 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=6946895 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 31 15:32:55 puma39 puppet-master[9307]: Compiled catalog for puma01.scl.lab.tlv.redhat.com in environment production in 2.16 seconds
Dec 31 15:34:54 puma39 kernel: type=1400 audit(1388496894.000:91): avc:  denied  { search } for  pid=9377 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 31 15:34:54 puma39 kernel: type=1400 audit(1388496894.000:92): avc:  denied  { read } for  pid=9377 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 31 15:34:54 puma39 kernel: type=1400 audit(1388496894.000:93): avc:  denied  { open } for  pid=9377 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Comment 1 Omri Hochman 2013-12-31 13:54:31 UTC 
Created attachment 843779 [details]
messages.log
Comment 2 Mike Burns 2014-06-17 18:09:07 UTC 
*** Bug 1108036 has been marked as a duplicate of this bug. ***
Comment 3 Lukas Zapletal 2014-06-17 18:52:06 UTC 
Can you please run this:

restorecon -nRv /etc

Thanks
Comment 4 Lukas Zapletal 2014-06-18 13:35:09 UTC 
Audit2Allow:

allow passenger_t iptables_exec_t:file { read getattr open execute execute_no_trans };

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow passenger_t port_t:udp_socket name_bind;

#!!!! This avc is allowed in the current policy
allow passenger_t sysfs_t:dir search;

#!!!! This avc is allowed in the current policy
allow passenger_t sysfs_t:file { read open };
#!!!! The source type 'passenger_t' can write to a 'dir' of the following types:
# passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, foreman_lib_t, httpd_tmp_t, cluster_conf_t, foreman_var_run_t

allow passenger_t var_lib_t:dir { write create add_name rmdir };
#!!!! The source type 'passenger_t' can write to a 'file' of the following types:
# puppet_var_lib_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, foreman_lib_t, httpd_tmp_t, cluster_var_lib_t, cluster_var_run_t, root_t, cluster_conf_t, foreman_var_run_t

allow passenger_t var_lib_t:file { setattr read lock create getattr write ioctl open };
Comment 5 Lukas Zapletal 2014-06-18 14:00:34 UTC 
Can you guys give me more info how to reproduce? I havent used the foreman_server.sh yet. Is this building the LiveCD or what does it do?

I am interested commands:

ps axuwwwZ
restorecon -nRv /

Thanks.
Comment 6 Lukas Zapletal 2014-06-19 13:34:46 UTC 
This looks like OSP3 version, I am not sure if we do selinux support for this version. Please reproduce with OSP5. Thanks.
Comment 7 Omri Hochman 2014-06-19 13:37:35 UTC 
need to be retested in OSP5
Comment 8 Lukas Zapletal 2014-06-19 13:41:17 UTC 
Ok thanks.
Comment 9 Omri Hochman 2014-06-23 19:51:41 UTC 
Still reproduces with with OSP5 - I will clone this bug to version 5.0 

Environment:
-------------
foreman-selinux-1.6.0-2.el6sat.noarch
openstack-foreman-installer-2.0.8-1.el6ost.noarch
openstack-puppet-modules-2014.1-16.2.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch
Comment 10 Omri Hochman 2014-06-23 19:55:05 UTC 

Changed the bug version to 5.0 :

the bug still reproduces on OFI Server (on RHEL6.5)  when running foreman_server.sh --> those AVCs will remain in /var/log/messages: 

Environment:
-------------
foreman-selinux-1.6.0-2.el6sat.noarch
openstack-foreman-installer-2.0.8-1.el6ost.noarch
openstack-puppet-modules-2014.1-16.2.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-7.el6ost.noarch

Messages:
----------
Jun 23 21:57:03 puma39 kernel: type=1400 audit(1403549823.020:32): avc:  denied  { execute } for  pid=10801 comm="ruby" name="node.rb" dev=dm-0 ino=12977675 scontext=unconfined_u:system_r:passenger_t:s0 tcontext
etc_t:s0 tclass=file
Jun 23 21:57:03 puma39 kernel: type=1400 audit(1403549823.020:33): avc:  denied  { execute_no_trans } for  pid=10801 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=12977675 scontext=unconfined_u:system_r:pa
em_u:object_r:puppet_etc_t:s0 tclass=file
Comment 11 Lukas Zapletal 2014-06-25 07:15:26 UTC 
Omri,

for me it's like half of a day to reproduce, I am interested commands:

ps axuwwwZ
restorecon -nRv /

Woould you mind pasting me these? Thanks!
Comment 13 Mike Burns 2014-10-28 12:26:39 UTC 
*** Bug 1157232 has been marked as a duplicate of this bug. ***
Comment 14 Lukas Zapletal 2015-01-07 08:51:32 UTC 
The workaround is to call foreman-selinux-relabel before running the script that is causing the denials. It looks like file labels are incorrect.

When testing this please add "-n" option and pastebin the output of the relabel script to see which ones are incorrect. When testing this, also include output of the following command before executing the script as well:

restorecon -nRv /