which is prevented by SELinux. This has something to do with selinux users and RHEL6. Discussion is here: <pre> 14:56 lzap | dwalsh: https://gist.github.com/lzap/b2c29cd20da2a0d95459 14:57 lzap | dwalsh: mirek told me the other day I see relabelto because the process is touching xattrs most likely. whatever, I'd like to allow that, but | my rules do not apply for some reason - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 14:58 dwalsh | lzap, You are relabeling a file to system_u:... You are running as unconfined_u. THere is a constraint that says you are not allowed to do | this unless you have a certain attribute. 14:58 dwalsh | scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 14:58 dwalsh | Is passenger_t doing a setfilecon? 15:00 dwalsh | lzap, It looks like you ran passenger from an unconfined_u user, 15:00 lzap | oh 15:00 lzap | like started it from shell right? 15:01 dwalsh | lzap, I would not have a problem doing it. We really do not enforce on user part of the label. 15:01 dwalsh | Did you do a runcon to get the service to start? 15:01 lzap | it was puppet who started that 15:01 lzap | puppet agent 15:01 lzap | but puppet stareted from openstack installer 15:01 lzap | and that was obviously started as root 15:02 lzap | but I'd expect when I'd do service start it would start normally 15:02 lzap | puppet is doing: service httpd start 15:02 dwalsh | is this RHEL6? 15:02 lzap | yes 15:02 lzap | 6.54 15:02 lzap | 6.5 15:03 dwalsh | Well puppet must have been running as unconfined_u which means someone restarted it. 15:03 dwalsh | In RHEL7 this would not be a problem because services would be started via systemd, which would be running as system_u. 15:04 dwalsh | domain_subj_id_change_exemption(passenger_t) would fix the problem. 15:04 dwalsh | Most of the time passenger_t would run as system_u, since it would be started at boot time. But if a user did a service restart, then I guess | this could happen. 15:05 lzap | so you are telling me that all services which are running under RHEL6 and are confined can go wrong as soon as root restarts them from a shell? 15:06 dwalsh | No only services that attempt to do built in SELinux calls. 15:06 dwalsh | Puppet must be doing a setfiles() call to change the label. 15:07 lzap | ok I will investigate this, but I'd not expect this there 15:07 lzap | it's a ruby app without any selinux support 15:07 lzap | I mean the upstream code 15:07 lzap | and I am not aware of any special handling in our startup scripts or something 15:08 dwalsh | We added selinux support to ruby a few years ago to be used with puppet. 15:08 dwalsh | Search the code for matchpathcon, and setfilecon. </pre>
Created from redmine issue http://projects.theforeman.org/issues/5910
Upstream bug assigned to lzap
*** Bug 1107680 has been marked as a duplicate of this bug. ***
Moving to POST since upstream bug http://projects.theforeman.org/issues/5910 has been closed
please provide verification steps
This patch was commited: +domain_obj_id_change_exemption(passenger_t) To verify, install Satellite 6 and verify there are no AVC denials. Please ignore this harmless one: time->Wed Aug 27 09:15:56 2014 type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file Note the "load_policy" domain. We have a separate BZ for this.
VERIFIED able to install satellite 6 with no AVC denials
This was delivered with Satellite 6.0 which was released on 10 September 2014.