1092980 – [Openstack-Staypuft]: SELinux AVCs during staypuft-installer --foreman-authentication=false in messages.

Bug 1092980 - [Openstack-Staypuft]: SELinux AVCs during staypuft-installer --foreman-authentication=false in messages.

Summary: [Openstack-Staypuft]: SELinux AVCs during staypuft-installer --foreman-authe...

Keywords:
Status:	CLOSED DUPLICATE of bug 1098244
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	rubygem-staypuft
Sub Component:
Version:	4.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	z4
Target Release:	4.0
Assignee:	Lukas Zapletal
QA Contact:	Omri Hochman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1093126
TreeView+	depends on / blocked

Reported:	2014-04-30 11:06 UTC by Omri Hochman
Modified:	2014-05-23 12:52 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-05-23 12:52:16 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Omri Hochman 2014-04-30 11:06:50 UTC

[Openstack-Staypuft]: SELinux AVCs during  katello-installer --foreman-authentication=false in messages.  

Environment (Havana A4 puddle 2014-04-25.2):
---------------------------------------------
ruby193-rubygem-staypuft-0.0.11-5.el6ost.noarch
openstack-foreman-installer-1.0.6-2.el6ost.noarch
ruby193-rubygem-foreman_openstack_simplify-0.0.6-6.el6ost.noarch
openstack-puppet-modules-2013.2-9.el6ost.noarch
puppet-3.3.2-2.el6.noarch
puppet-server-3.3.2-2.el6.noarch


Steps:
-------
1)  Verify SELinux enables (setenforce 1)
2)  Attempt to install staypuft using  "katello-installer --foreman-authentication=false"
3)  Check /var/log/messages. 


Results:

/var/log/messages 
-------------------
Apr 29 15:05:17 oh-havana-foreman yum[3473]: Installed: ruby193-rubygem-daemon_controller-1.1.4-5.el6sat.noarch
Apr 29 15:05:18 oh-havana-foreman yum[3473]: Installed: ruby193-rubygem-passenger-4.0.5-19.el6sat.x86_64
Apr 29 15:05:18 oh-havana-foreman yum[3473]: Installed: ruby193-rubygem-passenger-native-libs-4.0.5-19.el6sat.x86_64
Apr 29 15:05:18 oh-havana-foreman yum[3473]: Installed: ruby193-rubygem-passenger-native-4.0.5-19.el6sat.x86_64
Apr 29 15:06:22 oh-havana-foreman puppet-agent[3801]: Reopening log files
Apr 29 15:06:23 oh-havana-foreman puppet-agent[3801]: Starting Puppet client version 3.3.2
Apr 29 15:06:26 oh-havana-foreman kernel: type=1400 audit(1398773186.334:7): avc:  denied  { relabelto } for  pid=3851 comm="ruby" name="yaml" dev=dm-0 ino=525525 scontext=unconfined_u:system_rassenger_t:s0 tc
ontext=system_u:object_ruppet_var_lib_t:s0 tclass=dir
Apr 29 15:06:26 oh-havana-foreman kernel: type=1400 audit(1398773186.401:8): avc:  denied  { relabelto } for  pid=3851 comm="ruby" name="masterhttp.log" dev=dm-0 ino=527385 scontext=unconfined_u:system_rasseng
er_t:s0 tcontext=system_u:object_ruppet_log_t:s0 tclass=file
Apr 29 15:06:26 oh-havana-foreman kernel: type=1400 audit(1398773186.652:9): avc:  denied  { relabelto } for  pid=3851 comm="ruby" name="ca_crt.pem" dev=dm-0 ino=656205 scontext=unconfined_u:system_rassenger_t
:s0 tcontext=system_u:object_ruppet_var_lib_t:s0 tclass=file
Apr 29 15:06:26 oh-havana-foreman puppet-master[3851]: Starting Puppet master version 3.3.2
Apr 29 15:06:27 oh-havana-foreman kernel: type=1400 audit(1398773187.053:10): avc:  denied  { execute } for  pid=3911 comm="ruby" name="node.rb" dev=dm-0 ino=1443382 scontext=unconfined_u:system_rassenger_t:s0
 tcontext=system_u:object_ruppet_etc_t:s0 tclass=file
Apr 29 15:06:27 oh-havana-foreman kernel: type=1400 audit(1398773187.054:11): avc:  denied  { execute_no_trans } for  pid=3911 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=1443382 scontext=unconfined_u:sy
stem_rassenger_t:s0 tcontext=system_u:object_ruppet_etc_t:s0 tclass=file
Apr 29 15:06:27 oh-havana-foreman puppet-master[3907]: Failed to find oh-havana-foreman.scl.lab.tlv.redhat.com via exec: Execution of '/etc/puppet/node.rb oh-havana-foreman.scl.lab.tlv.redhat.com' returned 1: 
Apr 29 15:06:27 oh-havana-foreman puppet-agent[3816]: Unable to fetch my node definition, but the agent run will continue:
Apr 29 15:06:27 oh-havana-foreman puppet-agent[3816]: Error 400 on SERVER: Failed to find oh-havana-foreman.scl.lab.tlv.redhat.com via exec: Execution of '/etc/puppet/node.rb oh-havana-foreman.scl.lab.tlv.redhat
.com' returned 1: 
Apr 29 15:06:27 oh-havana-foreman puppet-agent[3816]: (/File[/var/lib/puppet/lib/puppet]/ensure) removed
Apr 29 15:06:27 oh-havana-foreman puppet-agent[3816]: (/File[/var/lib/puppet/lib/facter]/ensure) removed
Apr 29 15:06:53 oh-havana-foreman puppet-master[3907]: Failed when searching for node oh-havana-foreman.scl.lab.tlv.redhat.com: Failed to find oh-havana-foreman.scl.lab.tlv.redhat.com via exec: Execution of '/et
c/puppet/node.rb oh-havana-foreman.scl.lab.tlv.redhat.com' returned 1: 
Apr 29 15:06:53 oh-havana-foreman puppet-master[3907]: Failed when searching for node oh-havana-foreman.scl.lab.tlv.redhat.com: Failed to find oh-havana-foreman.scl.lab.tlv.redhat.com via exec: Execution of '/et
c/puppet/node.rb oh-havana-foreman.scl.lab.tlv.redhat.com' returned 1: 
Apr 29 15:06:53 oh-havana-foreman puppet-agent[3816]: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed when searching for node oh-havana-foreman.scl.lab.tlv.redhat.com: Failed to find o
h-havana-foreman.scl.lab.tlv.redhat.com via exec: Execution of '/etc/puppet/node.rb oh-havana-foreman.scl.lab.tlv.redhat.com' returned 1: 
Apr 29 15:06:53 oh-havana-foreman puppet-agent[3816]: Using cached catalog
Apr 29 15:06:53 oh-havana-foreman puppet-agent[3816]: Could not retrieve catalog; skipping run
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.641:12): avc:  denied  { sigstop } for  pid=3681 comm="PassengerHelper" scontext=unconfined_u:system_rassenger_t:s0 tcontext=unconfined_u:system_rassenger_t:s0 tclass=process
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.972:13): avc:  denied  { getattr } for  pid=4245 comm="lsof" path="/dev/shm" dev=tmpfs ino=5509 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.973:14): avc:  denied  { getattr } for  pid=4245 comm="lsof" path="/proc/bus/usb" dev=usbfs ino=5450 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:usbfs_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.973:15): avc:  denied  { getattr } for  pid=4245 comm="lsof" path="/boot" dev=vda1 ino=2 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.973:16): avc:  denied  { getattr } for  pid=4245 comm="lsof" path="/dev/vda1" dev=devtmpfs ino=6035 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.974:17): avc:  denied  { search } for  pid=4245 comm="lsof" scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.974:18): avc:  denied  { getattr } for  pid=4245 comm="lsof" path="/proc/sys/fs/binfmt_misc" dev=binfmt_misc ino=1 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.981:19): avc:  denied  { search } for  pid=4243 comm="lsof" name="dbus" dev=dm-0 ino=524779 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.981:20): avc:  denied  { getattr } for  pid=4243 comm="lsof" path="/var/run/dbus/system_bus_socket" dev=dm-0 ino=525384 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
Apr 29 15:07:00 oh-havana-foreman kernel: type=1400 audit(1398773220.981:21): avc:  denied  { getattr } for  pid=4243 comm="lsof" path="/var/run/acpid.socket" dev=dm-0 ino=525414 scontext=unconfined_u:system_rassenger_t:s0 tcontext=system_u:object_r:apmd_var_run_t:s0 tclass=sock_file
Apr 29 15:07:01 oh-havana-foreman abrtd: Directory 'ccpp-2014-04-29-15:07:01-3671' creation detected
Apr 29 15:07:01 oh-havana-foreman abrt[4248]: Saved core dump of pid 3671 (/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/agents/PassengerHelperAgent) to /var/spool/abrt/ccpp-2014-04-29-15:07:01-3671 (36253696 bytes)
Apr 29 15:07:01 oh-havana-foreman puppet-agent[3816]: Could not send report: Error 500 on SERVER: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
Apr 29 15:07:01 oh-havana-foreman puppet-agent[3816]: <html><head>
Apr 29 15:07:01 oh-havana-foreman puppet-agent[3816]: <title>500 Internal Server Error</title>
Apr 29 15:07:01 oh-havana-foreman puppet-agent[3816]: </head><body>
Apr 29 15:07:01 oh-havana-foreman puppet-agent[3816]: <h1>Internal Server Error</h1>

Comment 3 Omri Hochman 2014-05-14 21:55:42 UTC

Same Issue occurs when  sing staypuft-installer Instead of katello-installer.

Comment 4 Omri Hochman 2014-05-15 14:51:36 UTC

As well, there are other iptables SELinux AVCs in messages when using staypuft-installer - for more information check : #1098244

Comment 5 Lukas Zapletal 2014-05-16 11:40:44 UTC

Hey,

do I see the right context: unconfined_u:system_rassenger_t

Rassanger? Should be passenger.

Please provide us output of:

ps -xauwwwZ

Comment 7 Lukas Zapletal 2014-05-23 11:05:31 UTC

Putting this to MODIFIED because I believe this was tested WITHOUT foreman-selinux package installed. Pleaase re-test with this package installed, latest build from brew should include it already today.

Upstream builds that contain necessary work to get rid of these denials:

https://github.com/theforeman/foreman-tasks/pull/54
https://github.com/theforeman/foreman-selinux/pull/18 (not yet merged)

If you can upgrade to those (no brew builds yet) and re-test that would be fantastic:

http://koji.katello.org/koji/taskinfo?taskID=111800
http://koji.katello.org/koji/taskinfo?taskID=112021

Comment 8 Lukas Zapletal 2014-05-23 11:09:13 UTC

Ok POST would be better state.

Comment 10 Mike Burns 2014-05-23 12:52:16 UTC

basically the same bug -- selinux issues with foreman.  will leave the other one open since it has more info and attachments...

*** This bug has been marked as a duplicate of bug 1098244 ***

Note You need to log in before you can comment on or make changes to this bug.