Bug 1670109 - foreman-tasks won't start if SELinux is enforcing
Summary: foreman-tasks won't start if SELinux is enforcing
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.4
Hardware: All
OS: All
high
high
Target Milestone: 6.7.0
Assignee: Lukas Zapletal
QA Contact: Lukas Pramuk
URL:
Whiteboard:
Depends On:
Blocks: 1795589
TreeView+ depends on / blocked
 
Reported: 2019-01-28 15:23 UTC by Avijit Roy
Modified: 2020-08-18 16:44 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:23:49 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 26951 High Closed foreman-tasks won't start if SELinux is enforcing 2020-10-16 07:12:56 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:24:01 UTC

Description Avijit Roy 2019-01-28 15:23:11 UTC
Description of problem:
foreman-tasks won't start if SELinux is enforcing   

Version-Release number of selected component (if applicable):
Satellite 6.4

How reproducible:
          

Steps to Reproduce:
If SELinux is set to enforce foreman-tasks won't start. The error from the audit.log follows.
audit2why
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

audit2allow
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc:  denied  { execmem } for  pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0


#============= passenger_t ==============
allow passenger_t self:process execmem;

Actual results:


Expected results:
Expected results:
No AVCs should be reported
     

Additional info:

Comment 4 Lukas Zapletal 2019-01-29 08:38:43 UTC
Works for me, can you narrow down it a bit?

What Foreman plugins are installed? Are there any unsupported plugins? They can cause asset recompilation which is causing this problem so please investigate carefully.

[root@sat64 ~]# rpm -q satellite
satellite-6.4.1-1.el7sat.noarch
[root@sat64 ~]# getenforce 
Enforcing
[root@sat64 ~]# systemctl restart foreman-tasks
[root@sat64 ~]# ausearch -m AVC
<no matches>
[root@sat64 ~]# systemctl status foreman-tasks
● dynflowd.service - Foreman jobs daemon
   Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2019-01-29 08:36:07 GMT; 16s ago
     Docs: https://theforeman.org
  Process: 3119 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/dynflowd.service
           ├─3165 dynflow_executor
           └─3169 dynflow_executor_monitor

Comment 6 Lukas Zapletal 2019-06-04 16:12:45 UTC
Created redmine issue https://projects.theforeman.org/issues/26951 from this bug

Comment 7 Bryan Kearney 2019-06-06 16:03:12 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.

Comment 10 Lukas Zapletal 2019-10-29 11:41:03 UTC
This patch will also fix: https://bugzilla.redhat.com/show_bug.cgi?id=1541481

Comment 11 Lukas Zapletal 2019-10-29 11:41:47 UTC
Sorry for the flags changes. This is scheduled into Satellite 6.7.

Comment 12 Lukas Zapletal 2019-10-29 11:47:58 UTC
FOR THE RECORD:

Workaround A:

semanage permissive passenger_t

Workaround B:

echo -n "module passenger-execmem 1.0;\nallow passenger_t self:process execmem;\n" > passenger-execmem.pp
semodule -i passenger-execmem.pp

Comment 13 Bryan Kearney 2019-10-29 12:02:14 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/26951 has been resolved.

Comment 15 Lukas Pramuk 2020-01-29 16:17:35 UTC
VERIFIED.

@satellite-6.7.0-5.beta.el7sat.noarch
foreman-selinux-1.24.1-1.el7sat.noarch

by the following manual steps:

# getenforce
Enforcing

# service foreman-tasks restart
Redirecting to /bin/systemctl restart foreman-tasks.service

# service foreman-tasks status
Redirecting to /bin/systemctl status foreman-tasks.service
● dynflowd.service - Foreman jobs daemon
   Loaded: loaded (/usr/lib/systemd/system/dynflowd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-29 11:01:42 EST; 6s ago
     Docs: https://theforeman.org
  Process: 18755 ExecStop=/usr/sbin/dynflowd stop (code=exited, status=0/SUCCESS)
  Process: 18836 ExecStart=/usr/sbin/dynflowd start (code=exited, status=0/SUCCESS)
    Tasks: 5
   CGroup: /system.slice/dynflowd.service
           ├─18890 dynflow_executor
           └─18891 dynflow_executor_monitor

Jan 29 11:01:35 satellite.example.com systemd[1]: Starting Foreman jobs daemon...
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: already initialized constant Foreman::UUID_REGEXP
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /usr/share/foreman/lib/foreman.rb:8: warning: previous definition of UUID_REGEXP was here
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: Dynflow Executor: start in progress
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:108: warning: conflicting chdir during another chdir block
Jan 29 11:01:41 satellite.example.com dynflowd[18836]: /opt/theforeman/tfm/root/usr/share/gems/gems/daemons-1.2.3/lib/daemons/daemonize.rb:75: warning: conflicting chdir during another chdir block
Jan 29 11:01:42 satellite.example.com dynflowd[18836]: dynflow_executor: process with pid 18890 started.
Jan 29 11:01:42 satellite.example.com systemd[1]: Started Foreman jobs daemon.
Hint: Some lines were ellipsized, use -l to show in full.

>>> foreman-tasks starts even with selinux enforcing

Comment 20 errata-xmlrpc 2020-04-14 13:23:49 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.