1129094 – SELinux AVCs when installing on RHEL 6.6

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1129094 - SELinux AVCs when installing on RHEL 6.6

Summary: SELinux AVCs when installing on RHEL 6.6

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	SELinux
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Jason Montleon
QA Contact:	Tazim Kolhar
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:	1127773
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-12 08:48 UTC by Jan Hutař
Modified:	2017-02-23 21:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 05:14:03 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	7051	0	None	None	None	2020-01-06 12:54:49 UTC
Red Hat Product Errata	RHSA-2015:1592	0	normal	SHIPPED_LIVE	Important: Red Hat Satellite 6.1.1 on RHEL 6	2015-08-12 09:04:35 UTC

Description Jan Hutař 2014-08-12 08:48:22 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. # yum install -y katello foreman-libvirt foreman-ovirt foreman-compute foreman-vmware
2. # katello-installer --interactive   # but used all the defaults there


Actual results:
# cat /var/log/audit/audit.log | audit2allow 


#============= passenger_t ==============
#!!!! The source type 'passenger_t' can write to a 'dir' of the following types:
# puppet_var_lib_t, passenger_tmp_t, passenger_log_t, passenger_var_lib_t, passenger_var_run_t, mnt_t, tmp_t, puppet_log_t, var_run_t, var_log_t, cluster_conf_t, foreman_var_run_t, httpd_tmp_t, cluster_var_lib_t, cluster_var_run_t, foreman_lib_t, root_t

allow passenger_t foreman_log_t:dir { write add_name };
allow passenger_t foreman_log_t:file create;
allow passenger_t puppet_etc_t:file { execute execute_no_trans };
allow passenger_t self:process execmem;

#============= prelink_mask_t ==============
allow prelink_mask_t lib_t:file { relabelto unlink };
allow prelink_mask_t postfix_public_t:fifo_file { read write };
allow prelink_mask_t qpidd_var_lib_t:file write;

#============= prelink_t ==============
allow prelink_t initrc_t:fifo_file setattr;
allow prelink_t system_cronjob_t:fifo_file setattr;


Expected results:
No AVCs at all although I do understand these prelink ones are probably not Satellite 6 business - do not know.

Comment 4 Lukas Zapletal 2014-08-12 09:18:48 UTC

The following denials

allow passenger_t foreman_log_t:dir { write add_name };
allow passenger_t foreman_log_t:file create;

will be fixed here

http://projects.theforeman.org/issues/7036

For this one:

allow passenger_t puppet_etc_t:file { execute execute_no_trans };

we need to make sure foreman.spec contains foreman-selinux dependency.

JASON: To fix the latter, please cherry pick those two patches in the packaging repo (the SPEC file):

https://github.com/theforeman/foreman-packaging/pull/296/files
https://github.com/theforeman/foreman-packaging/pull/300/files

Comment 5 Bryan Kearney 2014-08-12 16:04:57 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/7036 has been closed
-------------
Lukas Zapletal
https://github.com/theforeman/foreman-selinux/pull/26
-------------
Anonymous
Applied in changeset commit:e842477295ed731377f3f43c5b8f84634b6f47a2.

Comment 6 Jason Montleon 2014-08-12 19:06:52 UTC

https://github.com/Katello/katello-installer/pull/99 is also needed

Comment 9 Tazim Kolhar 2014-12-05 13:21:32 UTC

VERIFIED:


*** This bug is verified in upstream. This fix should eventually land in future downstream builds ***
Version Tested:

# rpm -qa | grep foreman
foreman-compute-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_discovery-1.4.1-1.el7.noarch
foreman-selinux-1.8.0-0.develop.201411281557gitf4a857f.el7.noarch
foreman-libvirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2-1.el7.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410git163c264.git.0.988ca80.el7.noarch
foreman-ovirt-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7.noarch
foreman-postgresql-1.8.0-0.develop.201412040955git563fa28.el7.noarch
foreman-gce-1.8.0-0.develop.201412040955git563fa28.el7.noarch
foreman-vmware-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ruby193-rubygem-foreman-tasks-0.6.9-1.el7.noarch
foreman-proxy-1.8.0-0.develop.201411261259git6ddd00d.el7.noarch
ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_docker-0.2.0-2.el7.noarch
rubygem-hammer_cli_foreman-0.1.3-1.201411121216git9381fc5.el7.noarch
foreman-1.8.0-0.develop.201412040955git563fa28.el7.noarch
ibm-x3550m3-07.lab.eng.brq.redhat.com-foreman-client-1.0-1.noarch
foreman-release-1.8.0-0.develop.201412040955git563fa28.el7.noarch


# katello-installer --interactive
Welcome to the Kafo installer!
------------------------------

This wizard will gather all required information. You can change any parameter
to your needs.


Ready to start? (y/n)
y

Main Config Menu
1. [n] Configure foreman_plugin_templates
2. [y] Configure foreman_plugin_bootdisk
3. [y] Configure certs
4. [y] Configure foreman_plugin_hooks
5. [y] Configure foreman_plugin_discovery
6. [y] Configure foreman
7. [n] Configure foreman_plugin_puppetdb
8. [n] Configure foreman_plugin_default_hostgroup
9. [y] Configure capsule
10. [n] Configure foreman_plugin_setup
11. [y] Configure katello
12. [n] Configure foreman_plugin_chef
13. [y] Configure foreman_plugin_tasks
14. Display current config
15. Save and run
16. Cancel run without Saving
Choose an option from the menu... 
Ambiguous choice.  Please choose one of [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15, 16].
?  15
Installing             Info: START 533                                    [0%] [Installing             Debug: /Stage[main]/Certs::Pulp_parent/File[/etc/p [0%] [Installing             Debug: /Stage[main]/Apache::Mod::Cgi/Apache::Mod[c [0%] [Installing             Debug: /Stage[main]/Certs::Candlepin/File[/usr/sha [0%] [Installing             Debug: /Stage[main]/Apache/before: requires Anchor [0%] [Installing             Debug: /Stage[main]/Certs::Foreman/Pubkey[/etc/for [0%] [Installing             Debug: /Stage[main]/Foreman::Config/Concat_build[f [0%] [Installing             Debug: /Stage[main]/Certs::Qpid/File[/etc/pki/kate [0%] [Installing             Info: Applying configuration version '1417785305'  [0%] [Installing             Debug: Executing '/bin/rpm -qa --nosignature --nod [0%] [Installing             Info: RESOURCE Package[mongodb_client]             [0%] [Installing             Info: RESOURCE Apache::Mod[auth_basic]             [3%] [Installing             Info: RESOURCE Ca[katello-default-ca]              [10%] Installing             Info: RESOURCE Ca[katello-server-ca]               [10%] Installing             Info: RESOURCE Apache::Vhost[default-ssl]          [14%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [19%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [21%] Installing             Info: RESOURCE Package[httpd]                      [23%] Installing             Info: RESOURCE File[usertrack.load]                [29%] Installing             Info: RESOURCE File[passenger.load]                [36%] Installing             Debug: /Stage[main]/Postgresql::Server::Config/Pos [40%] Installing             Info: RESOURCE Postgresql_conf[data_directory]     [41%] Installing             Debug: /Stage[main]/Postgresql::Server::Config/Con [42%] Installing             Debug: Executing '/sbin/chkconfig elasticsearch'   [45%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_etc_ca [52%] Installing             Info: RESOURCE Exec[concat_/etc/candlepin/candlepi [53%] Installing             Debug: /File[/var/lib/puppet/concat/_etc_httpd_con [55%] Installing             Info: RESOURCE File[authz_host.load]               [60%] Installing             Info: RESOURCE Pubkey[/etc/pki/katello/certs/katel [63%] Installing             Info: RESOURCE File[/var/lib/puppet/concat/_var_li [63%] Installing             Info: RESOURCE Exec[concat_/var/lib/pgsql/data/pg_ [67%] Installing             Debug: Augeas[override PGPORT in /etc/sysconfig/pg [68%] Installing             Info: RESOURCE Service[postgresqld]                [69%] Installing             Debug: /Stage[main]/Postgresql::Server::Service/Po [69%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [70%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [71%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [72%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [72%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [73%] Installing             Debug: /Stage[main]/Candlepin::Database::Postgresq [74%] Installing             Debug: Executing '/sbin/chkconfig mongod'          [76%] Installing             Info: RESOURCE Service[mongodb]                    [76%] Installing             Info: RESOURCE File[dav_fs.conf]                   [78%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing             Debug: /Stage[main]/Foreman::Database::Postgresql/ [78%] Installing             Info: RESOURCE Postgresql_psql[UPDATE pg_database  [79%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [80%] Installing             Debug: /File[/etc/httpd/conf.d/negotiation.conf]/s [86%] Installing             Debug: /File[/etc/httpd/conf.d/ssl.load]/seluser:  [86%] Installing             Debug: /File[/etc/httpd/conf.d/autoindex.load]/sel [86%] Installing             Debug: /File[/etc/httpd/conf.d/mime.conf]/seluser: [86%] Installing             Debug: /File[/etc/httpd/conf.d/alias.load]/seltype [86%] Installing             Info: RESOURCE File[/etc/crane.conf]               [87%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [88%] Installing             Info: RESOURCE Exec[concat_/etc/httpd/conf/ports.c [93%] Installing             Info: RESOURCE File[/etc/sysconfig/foreman]        [95%] Installing             Info: RESOURCE File[/usr/share/foreman/public]     [97%] Installing             Info: RESOURCE Foreman_config_entry[db_pending_mig [99%] Installing             Debug: Executing '/sbin/chkconfig puppetmaster'    [99%] Installing             Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing             Info: RESOURCE File[/etc/foreman-proxy/settings.d/ [99%] Installing             Debug: Executing '/sbin/chkconfig foreman-proxy'   [99%] Installing             Info: RESOURCE Service[foreman-proxy]              [99%] Installing             Info: RESOURCE File[/etc/httpd/conf.d/05-foreman-s [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE Cert[java-client]                   [99%] Installing             Debug: Executing '/sbin/chkconfig qpidd'           [99%] Installing             Debug: /Stage[main]/Certs::Candlepin/Exec[create c [99%] Installing             Debug: /Stage[main]/Certs::Candlepin/Exec[import c [99%] Installing             Notice: /Stage[main]/Certs::Candlepin/Exec[import  [99%] Installing             Debug: Executing '/sbin/chkconfig tomcat6'         [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE Cert[qe-foreman-rhel66.usersys.redh [99%] Installing             Info: RESOURCE File[/etc/pulp/server.conf]         [99%] Installing             Info: RESOURCE Exec[selinux_pulp_manage_puppet]    [99%] Installing             Debug: Executing '/sbin/chkconfig pulp_celerybeat' [99%] Installing             Debug: Executing '/sbin/chkconfig pulp_resource_ma [99%] Installing             Info: RESOURCE Service[pulp_workers]               [99%] Installing             Debug: Exec[create katello entitlments queue](prov [99%] Installing             Debug: /Stage[main]/Katello::Qpid/Exec[create kate [99%] Installing             Debug: /Stage[main]/Katello::Qpid/Exec[bind katell [99%] Installing             Notice: /Stage[main]/Katello::Qpid/Exec[bind katel [99%] Installing             Debug: Executing '/sbin/chkconfig foreman-tasks'   [99%] Installing             Info: RESOURCE Service[foreman-tasks]              [99%] Installing             Info: RESOURCE Package[ruby193-rubygem-foreman_dis [99%] Installing             Debug: Executing '/sbin/chkconfig foreman'         [99%] Installing             Debug: /Stage[main]/Certs::Foreman/Exec[foreman_ce [99%] Installing             Info: RESOURCE Foreman_smartproxy[qe-foreman-rhel6 [99%] Installing             Debug: Stored state in 0.07 seconds                [99%] Installing             Done                                               [100%]Installing             Done                                               [100%] []
  Success!
  * Katello is running at https://qe-foreman-rhel66.usersys.redhat.com
      Initial credentials are admin / vhjCUh3XA23atXZp
  * Capsule is running at https://qe-foreman-rhel66.usersys.redhat.com:9090
  * To install additional capsule on separate machine continue by running:"

      capsule-certs-generate --capsule-fqdn "$CAPSULE" --certs-tar
"~/$CAPSULE-certs.tar"

  The full log is at /var/log/katello-installer/katello-installer.log

No AVCs at all
# cat /var/log/audit/audit.log | audit2allow

Comment 10 Bryan Kearney 2015-08-11 13:35:13 UTC

This bug is slated to be released with Satellite 6.1.

Comment 11 errata-xmlrpc 2015-08-12 05:14:03 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Note You need to log in before you can comment on or make changes to this bug.