Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1115958 - AVCs on RHEL7 while configuring capsule
Summary: AVCs on RHEL7 while configuring capsule
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Og Maciel
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-03 11:58 UTC by Jan Hutař
Modified: 2019-09-26 15:44 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-11 12:21:40 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 7034 0 None None None 2016-04-22 15:35:26 UTC

Description Jan Hutař 2014-07-03 11:58:24 UTC
Description of problem:
When you attempt to configure capsule/smart proxy on Sat6 on RHEL7, some SELinux AVC denials appear.


Version-Release number of selected component (if applicable):
Satellite-6.0.3-RHEL-7-20140702.0
selinux-policy-targeted-3.12.1-153.el7.noarch


How reproducible:
1 of 1


Steps to Reproduce:
1. # katello-installer --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip> --capsule-dns-forwarders <ip>  --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <secret> --capsule-pulp false


Actual results:
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:413): arch=c000003e syscall=4 success=yes exit=0 a0=7f1578002eb8 a1=7f1578002e00 a2=7f1578002e00 a3=2 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:413): avc:  denied  { getattr } for  pid=79240 comm="PassengerHelper" path="/run/foreman/restart.txt" dev="tmpfs" ino=179535 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.544:414): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=700000014 a3=c9bc90 items=0 ppid=79222 pid=79240 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/lib64/gems/ruby/passenger-4.0.18/agents/PassengerHelperAgent" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.544:414): avc:  denied  { block_suspend } for  pid=79240 comm="PassengerHelper" capability=36  scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=capability2
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:415): arch=c000003e syscall=2 success=yes exit=17 a0=7fb3ecb43500 a1=0 a2=1b6 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:415): avc:  denied  { open } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1404367896.644:415): avc:  denied  { read } for  pid=1804 comm="ruby" name="entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
----
time->Thu Jul  3 02:11:36 2014
type=SYSCALL msg=audit(1404367896.644:416): arch=c000003e syscall=16 success=no exit=-25 a0=11 a1=5401 a2=7fb3f53b1ea0 a3=0 items=0 ppid=997 pid=1804 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1404367896.644:416): avc:  denied  { ioctl } for  pid=1804 comm="ruby" path="/run/foreman/cache/69D/EC0/entries_per_page" dev="tmpfs" ino=202360 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file


Expected results:
No AVCs


Additional info:
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 2 Lukas Zapletal 2014-08-12 07:16:46 UTC
Jan, do you have foreman-selinux package installed?

From AVC denials, I can see that there must be Foreman application running on this host. But you say you are installing Capsule. I don't get it. You are not allowed to install Capsules on hosts with Satellite 6 (there are some port interferences).

Comment 5 Lukas Zapletal 2014-08-12 08:36:15 UTC
Fixing in http://projects.theforeman.org/issues/7034

Comment 6 Bryan Kearney 2014-08-12 16:03:21 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/7034 has been closed
-------------
Lukas Zapletal
https://github.com/theforeman/foreman-selinux/pull/26
-------------
Anonymous
Applied in changeset commit:7b9410507203c9c5f58283bc39f5da8ee8a92608.

Comment 8 Og Maciel 2014-09-02 19:58:42 UTC
VERIFIED by QE

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite/Satellite-6.0.4-RHEL-7-20140829.0

Packages:
======
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-6.el7sat.noarch
* foreman-1.6.0.42-1.el7sat.noarch
* foreman-compute-1.6.0.42-1.el7sat.noarch
* foreman-gce-1.6.0.42-1.el7sat.noarch
* foreman-libvirt-1.6.0.42-1.el7sat.noarch
* foreman-ovirt-1.6.0.42-1.el7sat.noarch
* foreman-postgresql-1.6.0.42-1.el7sat.noarch
* foreman-proxy-1.6.0.30-1.el7sat.noarch
* foreman-selinux-1.6.0.14-1.el7sat.noarch
* foreman-vmware-1.6.0.42-1.el7sat.noarch
* katello-1.5.0-30.el7sat.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el7sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-4.el7sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
* pulp-server-2.4.1-0.5.rc1.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-12.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch

Comment 10 Bryan Kearney 2014-09-11 12:21:40 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.