1853463 – Plugin does not upload inventory - Permission denied /var/lib/foreman/red_hat_inventory/uploads/uploader.sh

Bug 1853463 - Plugin does not upload inventory - Permission denied /var/lib/foreman/red_hat_inventory/uploads/uploader.sh

Summary: Plugin does not upload inventory - Permission denied /var/lib/foreman/red_hat...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	RH Cloud - Inventory
Sub Component:
Version:	6.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	6.8.0
Assignee:	Shimon Shtein
QA Contact:	Mirek Długosz
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-07-02 18:12 UTC by Mirek Długosz
Modified:	2020-10-27 13:04 UTC (History)
CC List:	5 users (show)
Fixed In Version:	2.0.9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 13:03:46 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1856831	0	unspecified	CLOSED	New version of the plugin is available: 2.0.9	2021-02-22 00:41:40 UTC
Red Hat Product Errata	RHSA-2020:4366	0	None	None	None	2020-10-27 13:04:03 UTC

Description Mirek Długosz 2020-07-02 18:12:16 UTC

On Satellite 6.8.0 snap 7, Inventory RH Cloud - inventory plugin fails to upload inventory. See attached excerpt of production.log file.

Error is:
"Permission denied - /var/lib/foreman/red_hat_inventory/uploads/uploader.sh (Errno::EACCES)"

But script does have executable bit set:
$ ls -lahZ /var/lib/foreman/red_hat_inventory/uploads/uploader.sh
-rwxr-xr-x. foreman foreman system_u:object_r:foreman_lib_t:s0 /var/lib/foreman/red_hat_inventory/uploads/uploader.sh

I suppose this might be SELinux error, similar to bz#1852371


Found on:
Satellite 6.8.0 snap 7
foreman-2.1.0-0.22.rc3.el7sat.noarch
pulp-server-2.21.2-1.el7sat.noarch
katello-3.16.0-0.3.rc3.el7sat.noarch
satellite-6.8.0-0.6.beta.el7sat.noarch
tfm-rubygem-foreman_rh_cloud-2.0.8-1.el7sat.noarch

Comment 3 Lukas Zapletal 2020-07-03 07:27:45 UTC

Mirek, Foreman process has admin SELinux permissions on this type:

admin_pattern(foreman_rails_t, foreman_lib_t, foreman_lib_t)

If you think it's a SELinux issue, then investigate audit log for denials:

ausearch -m AVC

Comment 4 Adam Ruzicka 2020-07-03 08:46:00 UTC

Could you also check what mount options are set on the filesystem where the script resides?

Comment 5 Mirek Długosz 2020-07-03 09:39:26 UTC

Output of `ausearch -m AVC`:
#v+
time->Thu Jul  2 14:01:12 2020
type=PROCTITLE msg=audit(1593712872.270:4364): proctitle=736964656B697120352E322E3720205B31206F66203520627573795D
type=SYSCALL msg=audit(1593712872.270:4364): arch=c000003e syscall=59 success=no exit=-13 a0=1c748d90 a1=1e789468 a2=13cfe440 a3=ff items=0 ppid=10578 pid=36922 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="diagnostic_con*" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
type=AVC msg=audit(1593712872.270:4364): avc:  denied  { execute } for  pid=36922 comm="diagnostic_con*" name="uploader.sh" dev="dm-0" ino=205094899 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=0
#v-

Output of `sealert` on relevant part of `/var/log/audit/audit.log`:
#v+
SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from execute access on the file uploader.sh.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that ruby should be allowed execute access on the uploader.sh file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'diagnostic_con*' --raw | audit2allow -M my-diagnosticcon
# semodule -i my-diagnosticcon.pp


Additional Information:
Source Context                system_u:system_r:foreman_rails_t:s0
Target Context                system_u:object_r:foreman_lib_t:s0
Target Objects                uploader.sh [ file ]
Source                        diagnostic_con*
Source Path                   /opt/rh/rh-ruby25/root/usr/bin/ruby
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-266.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dhcp-3-250.domain.redhat.com
Platform                      Linux dhcp-3-250.domain.redhat.com
                              3.10.0-1127.el7.x86_64 #1 SMP Tue Feb 18 16:39:12
                              EST 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-07-02 10:18:17 EDT
Last Seen                     2020-07-02 10:18:17 EDT
Local ID                      4a0fd0bf-e481-4082-8487-dc96f638b931

Raw Audit Messages
type=AVC msg=audit(1593699497.118:2353): avc:  denied  { execute } for  pid=30679 comm="diagnostic_con*" name="uploader.sh" dev="dm-0" ino=205094899 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1593699497.118:2353): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f8d05ab86a0 a1=7f8d05ab86e8 a2=7f8d05b849d0 a3=ff items=0 ppid=10578 pid=30679 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:foreman_rails_t:s0 key=(null)

Hash: diagnostic_con*,foreman_rails_t,foreman_lib_t,file,execute
#v-

Finally, mount options:
#v+
mount |grep -v cgroup
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=10178228k,nr_inodes=2544557,mode=755)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,relatime)
/dev/mapper/rhel_dhcp--3--240-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,seclabel)
mqueue on /dev/mqueue type mqueue (rw,relatime,seclabel)
/dev/sda1 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/rhel_dhcp--3--240-home on /home type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/0 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=2037988k,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=43,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=261350)
#v-


SELinux was never my strong suite, but if I'm reading that correctly, process runs in domain foreman_rails_t, while script is in domain foreman_lib_t.

Comment 6 Shimon Shtein 2020-07-05 13:05:18 UTC

The script is executed from and ActiveJob instance, that initiates popen call. Is there a chance that dynflow daemon runs in a context that does not allow shell execution?

Comment 7 Lukáš Hellebrandt 2020-07-15 12:50:23 UTC

This hit me today and I can confirm the upload passes after `setenforce 0`.

Comment 10 Mirek Długosz 2020-07-20 15:24:12 UTC

As of snap 9, data can be uploaded to cloud. SElinux is not blocking execution of script.


Tested on:
Satellite 6.8 snap 9
rpm -foreman-2.1.0-1.el7sat.noarch
pulp-server-2.21.2-1.el7sat.noarch
katello-3.16.0-0.4.rc4.el7sat.noarch
satellite-6.8.0-0.7.beta.el7sat.noarch
tfm-rubygem-foreman_rh_cloud-2.0.9-1.fm2_1.el7sat.noarch

Comment 16 errata-xmlrpc 2020-10-27 13:03:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366

Note You need to log in before you can comment on or make changes to this bug.