1115958 – AVCs on RHEL7 while configuring capsule

Bug 1115958 - AVCs on RHEL7 while configuring capsule

Summary: AVCs on RHEL7 while configuring capsule

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Og Maciel
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-03 11:58 UTC by Jan Hutař
Modified:	2019-09-26 15:44 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-11 12:21:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	7034	0	None	None	None	2016-04-22 15:35:26 UTC

Description Jan Hutař 2014-07-03 11:58:24 UTC

Description of problem:
When you attempt to configure capsule/smart proxy on Sat6 on RHEL7, some SELinux AVC denials appear.


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-7-20140702.0
selinux-policy-targeted-3.12.1-153.el7.noarch


How reproducible:
1 of 1


Steps to Reproduce:
1. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip>  --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false


Actual results:
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:413): arch=c000003e syscall=4 success=yes exit=0 a0=7f1578002eb8 a1=7f1578002e00 a2=7f1578002e00 a3=2 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:413): avc:  denied  { getattr } for  pid=79240 comm="PassengerHelper" path="/run/foreman/restart.txt" dev="tmpfs" ino=179535 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:414): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=700000014 a3=c9bc90 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:414): avc:  denied  { block_suspend } for  pid=79240 comm="PassengerHelper" capability=36  scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:415): arch=c000003e syscall=2 success=yes exit=17 a0=7fb3ecb43500 a1=0 a2=1b6 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:415): avc:  denied  { open } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1404367896.644:415): avc:  denied  { read } for  pid=1804 comm="ruby" name="entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:416): arch=c000003e syscall=16 success=no exit=-25 a0=11 a1=5401 a2=7fb3f53b1ea0 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:416): avc:  denied  { ioctl } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


Expected results:
No AVCs


Additional info:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 2 Lukas Zapletal 2014-08-12 07:16:46 UTC

Jan, do you have foreman-selinux package installed?

From AVC denials, I can see that there must be Foreman application running on this host. But you say you are installing Capsule. I don't get it. You are not allowed to install Capsules on hosts with Satellite 6 (there are some port interferences).

Comment 5 Lukas Zapletal 2014-08-12 08:36:15 UTC

Fixing in http://projects.theforeman.org/issues/7034

Comment 6 Bryan Kearney 2014-08-12 16:03:21 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/7034 has been closed
-------------
Lukas Zapletal
https://github.com/theforeman/foreman-selinux/pull/26
-------------
Anonymous
Applied in changeset commit:7b9410507203c9c5f58283bc39f5da8ee8a92608.

Comment 8 Og Maciel 2014-09-02 19:58:42 UTC

VERIFIED by QE

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite/Satellite-6.0.4-RHEL-7-20140829.0

Packages:
======
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-6.el7sat.noarch
* foreman-1.6.0.42-1.el7sat.noarch
* foreman-compute-1.6.0.42-1.el7sat.noarch
* foreman-gce-1.6.0.42-1.el7sat.noarch
* foreman-libvirt-1.6.0.42-1.el7sat.noarch
* foreman-ovirt-1.6.0.42-1.el7sat.noarch
* foreman-postgresql-1.6.0.42-1.el7sat.noarch
* foreman-proxy-1.6.0.30-1.el7sat.noarch
* foreman-selinux-1.6.0.14-1.el7sat.noarch
* foreman-vmware-1.6.0.42-1.el7sat.noarch
* katello-1.5.0-30.el7sat.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el7sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-4.el7sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
* pulp-server-2.4.1-0.5.rc1.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-12.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch

Comment 10 Bryan Kearney 2014-09-11 12:21:40 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.