Description of problem: There are some SELinux issues while running `katello-installer` like these: avc: denied { execmem/name_connect/write/read/connectto } for ... comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0 ... Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-6-20140620.0 How reproducible: 2 of 2 Steps to Reproduce: 1. Get frest RHEL6 system and attempt to install Satellite 6 there Actual results: time->Mon Jun 23 18:46:11 2014 type=SYSCALL msg=audit(1403563571.579:225): arch=c000003e syscall=9 success=yes exit=53387071381504 a0=308e256ce000 a1=1000 a2=7 a3=32 items=0 ppid=24106 pid=24114 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403563571.579:225): avc: denied { execmem } for pid=24114 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process ---- time->Mon Jun 23 18:46:34 2014 type=SYSCALL msg=audit(1403563594.360:226): arch=c000003e syscall=42 success=no exit=-111 a0=8 a1=9e14040 a2=1c a3=7fff1f08db60 items=0 ppid=24106 pid=24114 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403563594.360:226): avc: denied { name_connect } for pid=24114 comm="ruby" dest=9200 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ---- time->Mon Jun 23 18:47:32 2014 type=SYSCALL msg=audit(1403563652.582:227): arch=c000003e syscall=21 success=yes exit=0 a0=e6637e0 a1=2 a2=0 a3=1b0f items=0 ppid=24106 pid=24114 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403563652.582:227): avc: denied { write } for pid=24114 comm="ruby" name="production.log" dev=dm-0 ino=1710643 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file ---- time->Mon Jun 23 18:47:32 2014 type=SYSCALL msg=audit(1403563652.582:228): arch=c000003e syscall=2 success=yes exit=8 a0=e6637e0 a1=442 a2=1b6 a3=d8 items=0 ppid=24106 pid=24114 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403563652.582:228): avc: denied { read } for pid=24114 comm="ruby" name="production.log" dev=dm-0 ino=1710643 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file ---- time->Mon Jun 23 18:47:50 2014 type=SYSCALL msg=audit(1403563670.386:229): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffe0ac6c3e0 a2=6e a3=1 items=0 ppid=24114 pid=25169 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403563670.386:229): avc: denied { connectto } for pid=25169 comm="ruby" path="/var/run/foreman/sockets/dynflow_socket" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- time->Mon Jun 23 18:53:42 2014 type=SYSCALL msg=audit(1403564022.055:236): arch=c000003e syscall=9 success=yes exit=23335527546880 a0=153939d48000 a1=1000 a2=7 a3=32 items=0 ppid=28041 pid=28047 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403564022.055:236): avc: denied { execmem } for pid=28047 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process ---- time->Mon Jun 23 18:54:06 2014 type=SYSCALL msg=audit(1403564046.436:237): arch=c000003e syscall=42 success=no exit=-111 a0=8 a1=9fc8b80 a2=1c a3=7fffa92cdee0 items=0 ppid=28041 pid=28047 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403564046.436:237): avc: denied { name_connect } for pid=28047 comm="ruby" dest=9200 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket ---- time->Mon Jun 23 18:55:03 2014 type=SYSCALL msg=audit(1403564103.362:238): arch=c000003e syscall=21 success=yes exit=0 a0=d7b7980 a1=2 a2=0 a3=1b0f items=0 ppid=28041 pid=28047 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403564103.362:238): avc: denied { write } for pid=28047 comm="ruby" name="production.log" dev=dm-0 ino=1710643 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file ---- time->Mon Jun 23 18:55:03 2014 type=SYSCALL msg=audit(1403564103.362:239): arch=c000003e syscall=2 success=yes exit=8 a0=d7b7980 a1=442 a2=1b6 a3=d8 items=0 ppid=28041 pid=28047 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403564103.362:239): avc: denied { read } for pid=28047 comm="ruby" name="production.log" dev=dm-0 ino=1710643 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file ---- time->Mon Jun 23 18:55:19 2014 type=SYSCALL msg=audit(1403564119.721:240): arch=c000003e syscall=42 success=yes exit=0 a0=b a1=7f7f122203e0 a2=6e a3=1 items=0 ppid=28047 pid=28996 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1403564119.721:240): avc: denied { connectto } for pid=28996 comm="ruby" path="/var/run/foreman/sockets/dynflow_socket" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket ---- Expected results: No AVCs should be reported
All these bugs should be covered in the upcoming build, except the EXECMEM which we hesitate to add. It looks like passenger does work without this selinux rule. We will monitor that. I see the bug moved to 6.0.4, we will reevaluate this and eventually we can do dontaudit rule for this one.
Moving to POST since upstream bug http://projects.theforeman.org/issues/7178 has been closed ------------- Lukas Zapletal Scratch that for RHEL7, after investigation from this evening with Jason and Og, it turns out it is not passenger but foreman-tasks what causes this denial. And it does not start without this. We run foreman-tasks (dynflow process) in passenger_t because it boots whole foreman to do its work. We need to allow this rule. It does work in RHEL6 but in RHEL7 it does not start. Permissive only gives this denial and enforcing stops tasks from coming up. Allowing this rule proceeds. <pre>service foreman-tasks start Redirecting to /bin/systemctl start foreman-tasks.service Job for foreman-tasks.service failed. See 'systemctl status foreman-tasks.service' and 'journalctl -xn' for details. [root@el7-smoketest ~]# vi log [root@el7-smoketest ~]# audit2allow -m passenger-execmem < log module passenger-execmem 1.0; require { type passenger_t; class process execmem; } #============= passenger_t ============== allow passenger_t self:process execmem; You have new mail in /var/spool/mail/root [root@el7-smoketest ~]# audit2allow -M passenger-execmem < log ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i passenger-execmem.pp [root@el7-smoketest ~]# semodule -i passenger-execmem.pp [root@el7-smoketest ~]# getenforce Enforcing [root@el7-smoketest ~]# service foreman-tasks start Redirecting to /bin/systemctl start foreman-tasks.service You have new mail in /var/spool/mail/root [root@el7-smoketest ~]# cat log type=AVC msg=audit(1408565585.751:711): avc: denied { execmem } for pid=52386 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process [root@el7-smoketest ~]# systemctl status foreman-tasks foreman-tasks.service - Foreman jobs daemon Loaded: loaded (/usr/lib/systemd/system/foreman-tasks.service; enabled) Active: active (running) since Wed 2014-08-20 16:22:15 EDT; 22s ago Docs: https://github.com/iNecas/foreman-tasks Process: 52738 ExecStop=/usr/bin/foreman-tasks stop (code=exited, status=134) Process: 54593 ExecStart=/usr/bin/foreman-tasks start (code=exited, status=0/SUCCESS) CGroup: /system.slice/foreman-tasks.service ├─54635 dynflow_executor └─54637 dynflow_executor_monitor Aug 20 16:20:56 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:20:59 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:22:14 el7-smoketest.sat6.lab.eng.bos.redhat.com foreman-tasks[54593]: ... Aug 20 16:22:15 el7-smoketest.sat6.lab.eng.bos.redhat.com systemd[1]: Started Fo... Hint: Some lines were ellipsized, use -l to show in full.</pre> ------------- Anonymous Applied in changeset commit:d867377e56451fc43030a30958499d34e6f4e485.
We need to investigate this more. It looks like it's not the Satellite 6 (passenger) instance who throws that, but foreman-tasks which is running in the same domain (passenger_t) for obvious reasons (it boots up whole satellite 6 rails environment thus it needs to be in the same domain). It looks like less-rails -> therubyracer -> v8 is the root cause but we don't know why and what does it compile. Maybe the environment is not the same as when we start Rails the normal way thus it does not find all the files?
Verified * apr-util-ldap-1.3.9-3.el6_0.1.x86_64 * candlepin-0.9.32-1.el6.noarch * candlepin-common-1.0.8-1.el6.noarch * candlepin-selinux-0.9.32-1.el6.noarch * candlepin-tomcat6-0.9.32-1.el6.noarch * elasticsearch-0.90.10-7.el6.noarch * foreman-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-compute-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-gce-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-libvirt-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-ovirt-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-postgresql-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-proxy-1.7.0-0.develop.201410101404git7961640.el6.noarch * foreman-release-1.7.0-0.develop.201410150839gitb948163.el6.noarch * foreman-selinux-1.7.0-0.develop.201409301113git2f345de.el6.noarch * foreman-vmware-1.7.0-0.develop.201410150839gitb948163.el6.noarch * katello-2.1.0-1.201410161306gite21feb2.el6.noarch * katello-certs-tools-2.0.1-1.el6.noarch * katello-default-ca-1.0-1.noarch * katello-installer-2.1.0-1.201410151311git9100203.el6.noarch * katello-repos-2.1.1-1.el6.noarch * katello-server-ca-1.0-1.noarch * openldap-2.4.23-32.el6_4.1.x86_64 * pulp-docker-plugins-0.2.1-0.2.beta.el6.noarch * pulp-katello-0.3-3.el6.noarch * pulp-nodes-common-2.5.0-0.7.beta.el6.noarch * pulp-nodes-parent-2.5.0-0.7.beta.el6.noarch * pulp-puppet-plugins-2.5.0-0.7.beta.el6.noarch * pulp-puppet-tools-2.5.0-0.7.beta.el6.noarch * pulp-rpm-plugins-2.5.0-0.7.beta.el6.noarch * pulp-selinux-2.5.0-0.7.beta.el6.noarch * pulp-server-2.5.0-0.7.beta.el6.noarch * python-ldap-2.3.10-1.el6.x86_64 * ruby193-rubygem-ldap_fluff-0.3.2-1.el6.noarch * ruby193-rubygem-net-ldap-0.3.1-2.el6.noarch * ruby193-rubygem-runcible-1.2.0-1.el6.noarch * rubygem-hammer_cli-0.1.3-1.201409240954gitf3c47c7.el6.noarch * rubygem-hammer_cli_foreman-0.1.3-1.201410151235gitbc8c449.el6.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410gitc96619d.git.0.37f3704.el6.noarch * rubygem-hammer_cli_import-0.10.4-1.el6.noarch * rubygem-hammer_cli_katello-0.0.6-1.201410161327gite14cd51.git.0.a8188a8.el6.noarch
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592