Description of problem: When you attempt to configure capsule/smart proxy on Sat6 on RHEL7, some SELinux AVC denials appear. Version-Release number of selected component (if applicable): Satellite-6.0.3-RHEL-7-20140702.0 selinux-policy-targeted-3.12.1-153.el7.noarch How reproducible: 1 of 1 Steps to Reproduce: 1. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip> --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false Actual results: time->Thu Jul 3 02:11:36 2014 type=SYSCALL msg=audit(1404367896.544:413): arch=c000003e syscall=4 success=yes exit=0 a0=7f1578002eb8 a1=7f1578002e00 a2=7f1578002e00 a3=2 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1404367896.544:413): avc: denied { getattr } for pid=79240 comm="PassengerHelper" path="/run/foreman/restart.txt" dev="tmpfs" ino=179535 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Thu Jul 3 02:11:36 2014 type=SYSCALL msg=audit(1404367896.544:414): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=700000014 a3=c9bc90 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1404367896.544:414): avc: denied { block_suspend } for pid=79240 comm="PassengerHelper" capability=36 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2 ---- time->Thu Jul 3 02:11:36 2014 type=SYSCALL msg=audit(1404367896.644:415): arch=c000003e syscall=2 success=yes exit=17 a0=7fb3ecb43500 a1=0 a2=1b6 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1404367896.644:415): avc: denied { open } for pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file type=AVC msg=audit(1404367896.644:415): avc: denied { read } for pid=1804 comm="ruby" name="entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file ---- time->Thu Jul 3 02:11:36 2014 type=SYSCALL msg=audit(1404367896.644:416): arch=c000003e syscall=16 success=no exit=-25 a0=11 a1=5401 a2=7fb3f53b1ea0 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null) type=AVC msg=audit(1404367896.644:416): avc: denied { ioctl } for pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file Expected results: No AVCs Additional info: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
Jan, do you have foreman-selinux package installed? From AVC denials, I can see that there must be Foreman application running on this host. But you say you are installing Capsule. I don't get it. You are not allowed to install Capsules on hosts with Satellite 6 (there are some port interferences).
Fixing in http://projects.theforeman.org/issues/7034
Moving to POST since upstream bug http://projects.theforeman.org/issues/7034 has been closed ------------- Lukas Zapletal https://github.com/theforeman/foreman-selinux/pull/26 ------------- Anonymous Applied in changeset commit:7b9410507203c9c5f58283bc39f5da8ee8a92608.
VERIFIED by QE Browser: ===== * Firefox 31.0 (MacOS) Build: ==== * Satellite/Satellite-6.0.4-RHEL-7-20140829.0 Packages: ====== * candlepin-0.9.23-1.el7.noarch * candlepin-common-1.0.1-1.el7.noarch * candlepin-guice-3.0-2_redhat_1.el7.noarch * candlepin-scl-1-5.el7.noarch * candlepin-scl-quartz-2.1.5-6.el7.noarch * candlepin-scl-rhino-1.7R3-3.el7.noarch * candlepin-scl-runtime-1-5.el7.noarch * candlepin-selinux-0.9.23-1.el7.noarch * candlepin-tomcat-0.9.23-1.el7.noarch * elasticsearch-0.90.10-6.el7sat.noarch * foreman-1.6.0.42-1.el7sat.noarch * foreman-compute-1.6.0.42-1.el7sat.noarch * foreman-gce-1.6.0.42-1.el7sat.noarch * foreman-libvirt-1.6.0.42-1.el7sat.noarch * foreman-ovirt-1.6.0.42-1.el7sat.noarch * foreman-postgresql-1.6.0.42-1.el7sat.noarch * foreman-proxy-1.6.0.30-1.el7sat.noarch * foreman-selinux-1.6.0.14-1.el7sat.noarch * foreman-vmware-1.6.0.42-1.el7sat.noarch * katello-1.5.0-30.el7sat.noarch * katello-certs-tools-1.5.6-1.el7sat.noarch * katello-default-ca-1.0-1.noarch * katello-installer-0.0.64-1.el7sat.noarch * katello-server-ca-1.0-1.noarch * openldap-2.4.39-3.el7.x86_64 * pulp-katello-0.3-4.el7sat.noarch * pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch * pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch * pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch * pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch * pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch * pulp-server-2.4.1-0.5.rc1.el7sat.noarch * python-ldap-2.4.6-6.el7.x86_64 * ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch * ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch * rubygem-hammer_cli-0.1.1-12.el7sat.noarch * rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch * rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch * rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch * rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch
This was delivered with Satellite 6.0 which was released on 10 September 2014.