Created attachment 918841 [details] audit.log Description of problem: After installing as documented here: https://mojo.redhat.com/docs/DOC-975597 This is for the AVC on the foreman/astapor node. audit.log will be attached. Version-Release number of selected component (if applicable): [root@ospha-inst ~]# yum list installed | grep -e puppet -e foreman -e selinux This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. foreman.noarch 1.6.0.21-1.el6sat @RHEL-6-Server-OS-Foreman foreman-installer.noarch 1:1.5.0-0.4.RC2.el6ost foreman-mysql2.noarch 1.6.0.21-1.el6sat @RHEL-6-Server-OS-Foreman foreman-proxy.noarch 1.6.0.8-1.el6sat @RHEL-6-Server-OS-Foreman foreman-selinux.noarch 1.6.0-2.el6sat @RHEL-6-Server-OS-Foreman libselinux.x86_64 2.0.94-5.3.el6_4.1 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 libselinux-python.x86_64 2.0.94-5.3.el6_4.1 @rhel-x86_64-server-6 libselinux-ruby.x86_64 2.0.94-5.3.el6_4.1 @rhel-x86_64-server-6 libselinux-utils.x86_64 2.0.94-5.3.el6_4.1 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5 openstack-foreman-installer.noarch 2.0.15-1.el6ost @RHEL-6-Server-OS-Foreman openstack-puppet-modules.noarch 2014.1-19.1.el6ost @RHEL-6-Server-OS-Foreman puppet.noarch 3.6.2-1.1.el6 @RHEL-6-Server-OS-Foreman puppet-server.noarch 3.6.2-1.1.el6 @RHEL-6-Server-OS-Foreman ruby193-rubygem-foreman_openstack_simplify.noarch rubygem-foreman_api.noarch 0.1.11-4.el6sat @RHEL-6-Server-OS-Foreman rubygem-hammer_cli_foreman.noarch 0.1.0-6.el6sat @RHEL-6-Server-OS-Foreman rubygem-hammer_cli_foreman-doc.noarch selinux-policy.noarch 3.7.19-231.el6_5.3 @rhel-x86_64-server-6 selinux-policy-targeted.noarch 3.7.19-231.el6_5.3 @rhel-x86_64-server-6 [root@ospha-inst ~]# How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hey Steve, is this still an issue?
I just checked, and see a bunch(all the same) with iptables: [root@rhos-foreman ~]# grep -i avc /var/log/audit/audit.log type=USER_AVC msg=audit(1430918017.424:160): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1430918017.424:161): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1430918017.424:162): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=AVC msg=audit(1430920386.226:267): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.226:268): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.226:269): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.226:270): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.226:271): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.227:272): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.227:273): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920386.227:274): avc: denied { getattr } for pid=8788 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:275): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:276): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:277): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:278): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:279): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:280): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:281): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920393.889:282): avc: denied { getattr } for pid=14138 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.047:283): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.047:284): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:285): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:286): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:287): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:288): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:289): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430920396.048:290): avc: denied { getattr } for pid=8776 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:354): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:355): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:356): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:357): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:358): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:359): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:360): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922988.611:361): avc: denied { getattr } for pid=12519 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:362): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:363): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:364): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:365): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:366): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:367): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:368): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file type=AVC msg=audit(1430922995.408:369): avc: denied { getattr } for pid=13830 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-0" ino=201934593 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file [root@rhos-foreman ~]# Not sure if this is because I have IPtables disabled though
We are seeing this as well... # ls -l /usr/sbin/iptables lrwxrwxrwx. 1 root root 13 Dec 23 10:48 /usr/sbin/iptables -> xtables-multi The puppetlabs/firewall module runs "iptables --version" command (at least), but I am still not sure why it would be run *on* the puppetmaster. # grep xtables /var/log/audit/audit.log | audit2allow #============= passenger_t ============== allow passenger_t iptables_exec_t:file { read getattr open execute execute_no_trans }; ... so as long as you are OK with puppetmaster running iptables, note that since its running as a non-root user it cannot even "read" the iptables rules), you could use a policy like this: # grep xtables /var/log/audit/audit.log | audit2allow -M puppet-iptables ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i puppet-iptables.pp [root@lark-foreman-01 ~]# cat puppet-iptables.te <pre> module puppet-iptables 1.0; require { type passenger_t; type iptables_exec_t; class file { read getattr open execute execute_no_trans }; } #============= passenger_t ============== allow passenger_t iptables_exec_t:file { read getattr open execute execute_no_trans }; <pre> I assume this should be a bug against foreman-selinux. Tommy
Closing list of bugs for RHEL OSP Installer since its support cycle has already ended [0]. If there is some bug closed by mistake, feel free to re-open. For new deployments, please, use RHOSP director (starting with version 7). -- Jaromir Coufal -- Sr. Product Manager -- Red Hat OpenStack Platform [0] https://access.redhat.com/support/policy/updates/openstack/platform