Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1670109 - foreman-tasks won't start if SELinux is enforcing
Summary: foreman-tasks won't start if SELinux is enforcing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.4
Hardware: All
OS: All
high
high
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks: 1795589
TreeView+ depends on / blocked
 
Reported: 2019-01-28 15:23 UTC by Avijit Roy
Modified: 2020-08-18 16:44 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:23:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 26951 0 High Closed foreman-tasks won't start if SELinux is enforcing 2020-10-16 07:12:56 UTC
Red Hat Product Errata RHSA-2020:1454 0 None None None 2020-04-14 13:24:01 UTC

Description Avijit Roy 2019-01-28 15:23:11 UTC 
Description of problem:
foreman-tasks won't start if SELinux is enforcing   

Version-Release number of selected component (if applicable):
Satellite 6.4

How reproducible:
          

Steps to Reproduce:
If SELinux is set to enforce foreman-tasks won't start. The error from the audit.log follows.
audit2why
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

audit2allow
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0


#============= passenger_t ==============
allow passenger_t self:process execmem;

Actual results:


Expected results:
Expected results:
No AVCs should be reported
     

Additional info:
Comment 4 Lukas Zapletal 2019-01-29 08:38:43 UTC 
Works for me, can you narrow down it a bit?

What Foreman plugins are installed? Are there any unsupported plugins? They can cause asset recompilation which is causing this problem so please investigate carefully.

[root@sat64 ~]# rpm -q satellite
satellite-6.4.1-1.el7sat.noarch
[root@sat64 ~]# getenforce 
Enforcing
[root@sat64 ~]# systemctl restart foreman-tasks
[root@sat64 ~]# ausearch -m AVC
<no matches>
[root@sat64 ~]# systemctl status foreman-tasks
● dynflowd.service - Foreman jobs daemon
   Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-01-29 08:36:07 GMT; 16s ago
     Docs: https://theforeman.org
  Process: 3119 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/dynflowd.service
           ├─3165 dynflow_executor
           └─3169 dynflow_executor_monitor
Comment 6 Lukas Zapletal 2019-06-04 16:12:45 UTC 
Created redmine issue https://projects.theforeman.org/issues/26951 from this bug
Comment 7 Bryan Kearney 2019-06-06 16:03:12 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.
Comment 10 Lukas Zapletal 2019-10-29 11:41:03 UTC 
This patch will also fix: https://bugzilla.redhat.com/show_bug.cgi?id=1541481
Comment 11 Lukas Zapletal 2019-10-29 11:41:47 UTC 
Sorry for the flags changes. This is scheduled into Satellite 6.7.
Comment 12 Lukas Zapletal 2019-10-29 11:47:58 UTC 
FOR THE RECORD:

Workaround A:

semanage permissive passenger_t

Workaround B:

echo -n "module passenger-execmem 1.0;\nallow passenger_t self:process execmem;\n" > passenger-execmem.pp
semodule -i passenger-execmem.pp
Comment 13 Bryan Kearney 2019-10-29 12:02:14 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.
Comment 15 Lukas Pramuk 2020-01-29 16:17:35 UTC 
VERIFIED.

@satellite-6.7.0-5.beta.el7sat.noarch
foreman-selinux-1.24.1-1.el7sat.noarch

by the following manual steps:

# getenforce
Enforcing

# service foreman-tasks restart
Redirecting to /bin/systemctl restart foreman-tasks.service

# service foreman-tasks status
Redirecting to /bin/systemctl status foreman-tasks.service
● dynflowd.service - Foreman jobs daemon
   Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-29 11:01:42 EST; 6s ago
     Docs: https://theforeman.org
  Process: 18755 ExecStop=/usr/sbin/dynflowd stop (code=exited, status=0/SUCCESS)
  Process: 18836 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
    Tasks: 5
   CGroup: /system.slice/dynflowd.service
           ├─18890 dynflow_executor
           └─18891 dynflow_executor_monitor

Jan 29 11:01:35 satellite.example.com systemd[1]: Starting Foreman jobs daemon...
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: already initialized constant Foreman::UUID_REGEXP
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: previous definition of UUID_REGEXP was here
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: Dynflow Executor: start in progress
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:108: warning: conflicting chdir during another chdir block
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:75: warning: conflicting chdir during another chdir block
Jan 29 11:01:42 satellite.example.com dynflowd[18836]: dynflow_executor: process with pid 18890 started.
Jan 29 11:01:42 satellite.example.com systemd[1]: Started Foreman jobs daemon.
Hint: Some lines were ellipsized, use -l to show in full.

>>> foreman-tasks starts even with selinux enforcing
Comment 20 errata-xmlrpc 2020-04-14 13:23:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454
Note You need to log in before you can comment on or make changes to this bug.