Bug 1522766
| Summary: | Passenger cannot communicate to Puppet Master via TCP | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Lukas Zapletal <lzap> |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> |
| Status: | CLOSED ERRATA | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.0 | CC: | bbuckingham, brubisch, dlobatog, ehelms, ekohlvan, lpramuk, lzap, peter.vreman, zhunting |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/21887 | ||
| Whiteboard: | |||
| Fixed In Version: | foreman-selinux-1.15.6.1-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-21 16:54:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1122832, 1533259 | ||
Peter, I already have the patch ready, but can you tell me when this happens? I haven't seen this myself on my system. Lukas,
It happens every time with 'systemctl reload httpd', e.g. also with a weekly logroation
Below is output of a manual systemctl reload httpd:
-----------
[Mon Dec 11 12:55:08.377262 2017] [mpm_prefork:notice] [pid 11197] AH00163: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5 Phusion_Passenger/4.0.18 configured -- resuming normal operations
[Mon Dec 11 12:55:08.377307 2017] [core:notice] [pid 11197] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[ 2017-12-11 12:55:10.3851 11228/7fc2bd39f700 Pool2/Spawner.h:738 ]: [App 11442 stdout]
[ 2017-12-11 12:55:14.3358 11228/7fc2bd39f700 Pool2/Spawner.h:738 ]: [App 11442 stdout] API controllers newer than Apipie cache! Run apipie:cache rake task to regenerate cache.
[ 2017-12-11 12:55:32.4247 11228/7fc2bd39f700 Pool2/SmartSpawner.h:301 ]: Preloader for /usr/share/foreman started on PID 11442, listening on unix:/var/run/rubygem-passenger/passenger.1.0.11197/generation-1/backends/preloader.11475
/usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `initialize': Permission denied - connect(2) (Errno::EACCES)
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `new'
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:105:in `connect'
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:112:in `connect'
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:86:in `socket'
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:90:in `head_request'
from /usr/share/gems/gems/passenger-4.0.18/helper-scripts/prespawn:145:in `<main>'
-----------
Note: i run puppet master also the Sat6 server itself. It might also be an issue on a Capsule, but did not test a capsule with 6.3 yet It looks like this is the preloader to start up instances on service startup rather than on first client. @Peter: can you confirm this by (temporarily) removing the PassengerPreStart from the puppet vhosts. QA: Happens during restart, to VERIFY please restart httpd service and check for denials. Thanks Ewoud, I thought this is some feature of Foreman itself and it is just this :-) Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/21887 has been resolved. VERIFIED. @satellite-6.3.0-23.0.el7sat.noarch foreman-selinux-1.15.6.1-1.el7sat.noarch by manual reproducer based on comment#9 1. # service httpd restart 2. # tail -0f /var/log/audit/audit.log REPRO (older snap): type=SERVICE_STOP msg=audit(1515415463.229:10256): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1515415463.432:10257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1515415517.153:10258): avc: denied { name_connect } for pid=22665 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket vs. FIX: type=SERVICE_STOP msg=audit(1515420604.858:10571): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1515420605.083:10572): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' >>> there is no more avc denial during/after httpd service restart Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> >
> > For information on the advisory, and where to find the updated files, follow the link below.
> >
> > If the solution does not work for you, open a new bug report.
> >
> > https://access.redhat.com/errata/RHSA-2018:0336
|
Standard install: type=AVC msg=audit(1512555818.157:6078): avc: denied { name_connect } for pid=21628 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket Easy fix.