Bug 1309600 - open up access for /var/log/candlepin.log and /var/log/messages to fusor-server on ISO installation
open up access for /var/log/candlepin.log and /var/log/messages to fusor-serv...
Status: CLOSED ERRATA
Product: Red Hat Quickstart Cloud Installer
Classification: Red Hat
Component: fusor-installer (Show other bugs)
1.0
Unspecified Unspecified
unspecified Severity unspecified
: ga
: 1.0
Assigned To: John Matthews
Thom Carlin
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-18 04:12 EST by dgao
Modified: 2016-09-13 12:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-13 12:27:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1862 normal SHIPPED_LIVE Red Hat Quickstart Installer 1.0 2016-09-13 16:18:48 EDT

  None (edit)
Description dgao 2016-02-18 04:12:17 EST
Currently on ISO installation, fusor-server is unable to access /var/log/messages and /var/log/candlepin.log.

There's a permission access issue w/ /var/log/messages, similar to /var/log/foreman-proxy/foreman-proxy.log, the file is set to 600. 

For /var/log/candlepin.log, selinux is preventing access to the file. 

SELinux is preventing /usr/bin/tail from read access on the file candlepin.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tail should be allowed read access on the candlepin.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep tail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:passenger_t:s0
Target Context                system_u:object_r:tomcat_log_t:s0
Target Objects                candlepin.log [ file ]
Source                        tail
Source Path                   /usr/bin/tail
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           coreutils-8.22-12.el7_1.2.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     sat61fusor.example.com
Platform                      Linux sat61fusor.example.com
                              3.10.0-229.24.2.el7.x86_64 #1 SMP Fri Nov 6
                              14:31:40 EST 2015 x86_64 x86_64
Alert Count                   16
First Seen                    2016-02-02 04:20:12 EST
Last Seen                     2016-02-05 10:17:25 EST
Local ID                      b7950e53-e971-498f-892f-065e21cd5e9e

Raw Audit Messages
type=AVC msg=audit(1454685445.305:7425): avc:  denied  { read } for  pid=22136 comm="tail" name="candlepin.log" dev="vda3" ino=2429970 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:
tomcat_log_t:s0 tclass=file


type=AVC msg=audit(1454685445.305:7425): avc:  denied  { open } for  pid=22136 comm="tail" path="/var/log/candlepin/candlepin.log" dev="vda3" ino=2429970 scontext=system_u:system_r:passenger_t:s0 tcontext
=system_u:object_r:tomcat_log_t:s0 tclass=file


type=SYSCALL msg=audit(1454685445.305:7425): arch=x86_64 syscall=open success=yes exit=ESRCH a0=7ffc38adaae4 a1=0 a2=0 a3=7ffc38ad8ac0 items=0 ppid=22134 pid=22136 auid=4294967295 uid=994 gid=994 euid=994
 suid=994 fsuid=994 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=tail exe=/usr/bin/tail subj=system_u:system_r:passenger_t:s0 key=(null)

Hash: tail,passenger_t,tomcat_log_t,file,read
Comment 2 John Matthews 2016-07-05 13:36:25 EDT
QCI-1.2-RHEL-7-20160705.t.1
Comment 3 Thom Carlin 2016-07-12 15:04:00 EDT
Verification failed on QCI-1.2-RHEL-7-20160711.t.1:
There were originally 2 issues in Comment 0:
1) /var/log/messages
2) /var/log/candlepin.log

On my system there are 4 related files:
A) -rw-r-----+ root root system_u:object_r:var_log_t:s0   /var/log/messages
B)-rw-r--r--. foreman foreman system_u:object_r:foreman_log_t:s0 /var/log/foreman/deployments/<<deployment name>>/var/log/messages
C) -rw-r--r--. tomcat tomcat system_u:object_r:tomcat_log_t:s0 /var/log/candlepin/candlepin.log
D) -rw-r--r--. foreman foreman system_u:object_r:foreman_log_t:s0 /var/log/foreman/deployments/<<deployment name>>/var/log/candlepin/candlepin.log

Is the C) name correct -- not 2) ?  That would match the audit messages

There weren't reproducer steps -- I'm guessing:
* Install QCI
* Log in to run launch-fusor-installer
* grep tail /var/log/audit/audit.log
* Fail if any output has "avc: denied"

The issue seems to be with A), not B) as far as I can tell.  Please confirm you are not seeing issues with B), C) or D)
Comment 4 dgao 2016-07-15 11:09:47 EDT
https://github.com/fusor/fusor-selinux/pull/24

This should resolve selinux issues involving /var/log/messages.
Comment 9 Thom Carlin 2016-08-31 16:40:01 EDT
VERIFIED in QCI-1.0-RHEL-7-20160830.t.0
Correction: believe the reproducer is:
1) Install/configure QCI
2) Deploy ..anything
3) During Installation Progress, go to Log tab (https://<<sat6_fqdn>>/r/#/deployments/<<deployment_number>>/review/progress/log)

Examine each log in turn.  You should be able to log contents as each log is selected

Also check the audit log per https://bugzilla.redhat.com/show_bug.cgi?id=1309600#c3
Comment 11 errata-xmlrpc 2016-09-13 12:27:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:1862

Note You need to log in before you can comment on or make changes to this bug.