Currently on ISO installation, fusor-server is unable to access /var/log/messages and /var/log/candlepin.log. There's a permission access issue w/ /var/log/messages, similar to /var/log/foreman-proxy/foreman-proxy.log, the file is set to 600. For /var/log/candlepin.log, selinux is preventing access to the file. SELinux is preventing /usr/bin/tail from read access on the file candlepin.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that tail should be allowed read access on the candlepin.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep tail /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:passenger_t:s0 Target Context system_u:object_r:tomcat_log_t:s0 Target Objects candlepin.log [ file ] Source tail Source Path /usr/bin/tail Port <Unknown> Host <Unknown> Source RPM Packages coreutils-8.22-12.el7_1.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-23.el7_1.21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name sat61fusor.example.com Platform Linux sat61fusor.example.com 3.10.0-229.24.2.el7.x86_64 #1 SMP Fri Nov 6 14:31:40 EST 2015 x86_64 x86_64 Alert Count 16 First Seen 2016-02-02 04:20:12 EST Last Seen 2016-02-05 10:17:25 EST Local ID b7950e53-e971-498f-892f-065e21cd5e9e Raw Audit Messages type=AVC msg=audit(1454685445.305:7425): avc: denied { read } for pid=22136 comm="tail" name="candlepin.log" dev="vda3" ino=2429970 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r: tomcat_log_t:s0 tclass=file type=AVC msg=audit(1454685445.305:7425): avc: denied { open } for pid=22136 comm="tail" path="/var/log/candlepin/candlepin.log" dev="vda3" ino=2429970 scontext=system_u:system_r:passenger_t:s0 tcontext =system_u:object_r:tomcat_log_t:s0 tclass=file type=SYSCALL msg=audit(1454685445.305:7425): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7ffc38adaae4 a1=0 a2=0 a3=7ffc38ad8ac0 items=0 ppid=22134 pid=22136 auid=4294967295 uid=994 gid=994 euid=994 suid=994 fsuid=994 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=tail exe=/usr/bin/tail subj=system_u:system_r:passenger_t:s0 key=(null) Hash: tail,passenger_t,tomcat_log_t,file,read
Changes made: https://github.com/fusor/fusor-selinux/pull/23 https://github.com/fusor/fusor-installer/pull/73
QCI-1.2-RHEL-7-20160705.t.1
Verification failed on QCI-1.2-RHEL-7-20160711.t.1: There were originally 2 issues in Comment 0: 1) /var/log/messages 2) /var/log/candlepin.log On my system there are 4 related files: A) -rw-r-----+ root root system_u:object_r:var_log_t:s0 /var/log/messages B)-rw-r--r--. foreman foreman system_u:object_r:foreman_log_t:s0 /var/log/foreman/deployments/<<deployment name>>/var/log/messages C) -rw-r--r--. tomcat tomcat system_u:object_r:tomcat_log_t:s0 /var/log/candlepin/candlepin.log D) -rw-r--r--. foreman foreman system_u:object_r:foreman_log_t:s0 /var/log/foreman/deployments/<<deployment name>>/var/log/candlepin/candlepin.log Is the C) name correct -- not 2) ? That would match the audit messages There weren't reproducer steps -- I'm guessing: * Install QCI * Log in to run launch-fusor-installer * grep tail /var/log/audit/audit.log * Fail if any output has "avc: denied" The issue seems to be with A), not B) as far as I can tell. Please confirm you are not seeing issues with B), C) or D)
https://github.com/fusor/fusor-selinux/pull/24 This should resolve selinux issues involving /var/log/messages.
VERIFIED in QCI-1.0-RHEL-7-20160830.t.0 Correction: believe the reproducer is: 1) Install/configure QCI 2) Deploy ..anything 3) During Installation Progress, go to Log tab (https://<<sat6_fqdn>>/r/#/deployments/<<deployment_number>>/review/progress/log) Examine each log in turn. You should be able to log contents as each log is selected Also check the audit log per https://bugzilla.redhat.com/show_bug.cgi?id=1309600#c3
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2016:1862