Bug 1131424 - installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not load data from https://<fqdn>"
Summary: installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Og Maciel
URL:
Whiteboard:
Depends On: 1130086
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-19 09:02 UTC by Jan Hutař
Modified: 2019-09-26 15:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-11 12:27:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Hutař 2014-08-19 09:02:54 UTC
Description of problem:
Installation on RHEL7 in Enforcing fails with "Could not evaluate: Could not load data from https://<fqdn>"


Version-Release number of selected component (if applicable):
Satellite-6.0.4-RHEL-7-20140813.2


How reproducible:
always


Steps to Reproduce:
1. # katello-installer --foreman-admin-email 'root@localhost' --foreman-admin-username '<user>' --foreman-admin-password '<pass>' --capsule-parent-fqdn <fqdn> --capsule-dns true --capsule-dns-forwarders <ip29> --capsule-dns-forwarders <ip19> --capsule-dns-forwarders <ip160> --capsule-dns-interface dummy0 --capsule-dns-zone katellolabs.org --capsule-dhcp true --capsule-dhcp-interface dummy0 --capsule-tftp true --capsule-puppet true --capsule-puppetca true --capsule-register-in-foreman true --capsule-foreman-oauth-secret <hash> --capsule-pulp false


Actual results:
Lot of AVCs and configuration fails.


Expected results:
No failures


Additional info:
# rpm -qa | grep selinux
libselinux-ruby-2.2.2-6.el7.x86_64
libselinux-python-2.2.2-6.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch
candlepin-selinux-0.9.23-1.el7.noarch
foreman-selinux-1.6.0.6-1.el7sat.noarch
libselinux-2.2.2-6.el7.x86_64
selinux-policy-targeted-3.12.1-153.el7.noarch
pulp-selinux-2.4.0-0.30.beta.el7sat.noarch
libselinux-utils-2.2.2-6.el7.x86_64
# cat /var/log/audit/audit.log | audit2allow 
#============= passenger_t ==============
allow passenger_t fs_t:filesystem getattr;
allow passenger_t httpd_t:unix_stream_socket getattr;
allow passenger_t initrc_t:unix_stream_socket connectto;
allow passenger_t initrc_var_run_t:file { read getattr unlink open ioctl };
allow passenger_t postgresql_t:unix_stream_socket connectto;
allow passenger_t postgresql_var_run_t:dir search;
allow passenger_t postgresql_var_run_t:sock_file write;
allow passenger_t puppet_etc_t:file { execute execute_no_trans };
allow passenger_t puppet_log_t:file write;
allow passenger_t puppet_var_lib_t:dir { relabelfrom relabelto create setattr };
allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };
allow passenger_t self:capability2 block_suspend;
allow passenger_t self:process { execmem getsession };
allow passenger_t sysfs_t:dir read;
allow passenger_t sysfs_t:file { read getattr open };
 
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow passenger_t unreserved_port_t:tcp_socket name_connect;
allow passenger_t var_lib_t:file { read getattr open ioctl };
allow passenger_t var_lib_t:lnk_file read;
allow passenger_t var_log_t:file { write ioctl read open getattr append };
allow passenger_t var_run_t:file { read getattr open ioctl };
allow passenger_t var_run_t:sock_file write;
allow passenger_t websm_port_t:tcp_socket name_connect;

#============= qpidd_t ==============
allow qpidd_t passwd_file_t:file getattr;

Comment 2 RHEL Program Management 2014-08-19 09:13:25 UTC
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

Comment 4 Jan Hutař 2014-08-19 09:21:33 UTC
As advised by lzap:

# semodule -l | grep foreman
# foreman-selinux-enable
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute consoletype_exec_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type
# rpm -qa | grep selinux | grep -v -e libselinux -e selinux-policy
candlepin-selinux-0.9.23-1.el7.noarch
foreman-selinux-1.6.0.6-1.el7sat.noarch
pulp-selinux-2.4.0-0.30.beta.el7sat.noarch

Comment 5 Lukas Zapletal 2014-08-19 09:30:35 UTC
The compose is missing this patch in foreman-selinux.spec file:

https://github.com/theforeman/foreman-packaging/pull/308

The policy was not loaded, all the AVCs above are not relevant.

As a workaround use this build:

http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm

Comment 6 Jan Hutař 2014-08-19 09:39:29 UTC
This package resolves the issue:

# rpm -Uvh http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
Retrieving http://yum.theforeman.org/nightly/el7/x86_64/foreman-selinux-1.7.0-0.develop.201408181139gite842477.el7.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:foreman-selinux-1.7.0-0.develop.2################################# [ 50%]
Cleaning up / removing...
   2:foreman-selinux-1.6.0.6-1.el7sat ################################# [100%]
# foreman-selinux-enable
# echo $?
0
# semodule -l | grep foreman
foreman	1.7.0.0

Comment 10 Lukas Zapletal 2014-08-21 09:59:58 UTC
Hello,

this has been reported as. I will implement a temporary fix in our policy.

https://bugzilla.redhat.com/show_bug.cgi?id=1130086

Comment 15 Lukas Zapletal 2014-08-29 08:09:29 UTC
Jan, this bugzilla contains several denials. Can you specify what do you see?

Please paste output of the following commands in this order:

  rpm -q foreman-selinux selinux-policy
  getenforce
  ps auxZ | grep RackApp
  semodule -l | grep foreman
  foreman-selinux-enable
  foreman-selinux-disable
  foreman-selinux-enable
  foreman-selinux-relabel -v
  semanage boolean -l
  semanage fcontext -l
  sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a
  ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50

Comment 16 Og Maciel 2014-09-02 19:46:59 UTC
VERIFIED by QE

Browser:
=====
* Firefox 31.0 (MacOS)

Build:  
====
* Satellite/Satellite-6.0.4-RHEL-7-20140829.0

Packages:
======
* candlepin-0.9.23-1.el7.noarch
* candlepin-common-1.0.1-1.el7.noarch
* candlepin-guice-3.0-2_redhat_1.el7.noarch
* candlepin-scl-1-5.el7.noarch
* candlepin-scl-quartz-2.1.5-6.el7.noarch
* candlepin-scl-rhino-1.7R3-3.el7.noarch
* candlepin-scl-runtime-1-5.el7.noarch
* candlepin-selinux-0.9.23-1.el7.noarch
* candlepin-tomcat-0.9.23-1.el7.noarch
* elasticsearch-0.90.10-6.el7sat.noarch
* foreman-1.6.0.42-1.el7sat.noarch
* foreman-compute-1.6.0.42-1.el7sat.noarch
* foreman-gce-1.6.0.42-1.el7sat.noarch
* foreman-libvirt-1.6.0.42-1.el7sat.noarch
* foreman-ovirt-1.6.0.42-1.el7sat.noarch
* foreman-postgresql-1.6.0.42-1.el7sat.noarch
* foreman-proxy-1.6.0.30-1.el7sat.noarch
* foreman-selinux-1.6.0.14-1.el7sat.noarch
* foreman-vmware-1.6.0.42-1.el7sat.noarch
* katello-1.5.0-30.el7sat.noarch
* katello-certs-tools-1.5.6-1.el7sat.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-0.0.64-1.el7sat.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-katello-0.3-4.el7sat.noarch
* pulp-nodes-common-2.4.1-0.5.rc1.el7sat.noarch
* pulp-nodes-parent-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-plugins-2.4.1-0.5.rc1.el7sat.noarch
* pulp-puppet-tools-2.4.1-0.5.rc1.el7sat.noarch
* pulp-rpm-plugins-2.4.1-0.6.beta.el7sat.noarch
* pulp-selinux-2.4.1-0.5.rc1.el7sat.noarch
* pulp-server-2.4.1-0.5.rc1.el7sat.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el7sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el7sat.noarch
* rubygem-hammer_cli-0.1.1-12.el7sat.noarch
* rubygem-hammer_cli_foreman-0.1.1-16.el7sat.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-3.el7sat.noarch
* rubygem-hammer_cli_import-0.10.2-1.2.el7sat.noarch
* rubygem-hammer_cli_katello-0.0.4-14.el7sat.noarch

Comment 17 Bryan Kearney 2014-09-11 12:27:58 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.