Bug #12398: Write to /var/run/foreman/pids/dynflow_executor.output is prevented - SELinux - Foreman

Actions

Copy link

Bug #12398

closed

Write to /var/run/foreman/pids/dynflow_executor.output is prevented

Added by Lukas Zapletal over 8 years ago. Updated almost 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Difficulty:

Triaged:

Bugzilla link:

1273371

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

When users configure for sendmail, we block this.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Lukas Zapletal over 8 years ago

Tracker changed from Feature to Bug
Subject changed from Create boolean for sendmail to Write to /var/run/foreman/pids/dynflow_executor.output is prevented

Oh we do this already, the error user see is:

SELinux is preventing /usr/sbin/sendmail.postfix from append access on the file /var/run/foreman/pids/dynflow_executor.output

type=AVC msg=audit(1445266684.536:1061): avc: denied { append } for pid=20151 comm="sendmail" path="/var/run/foreman/pids/dynflow_executor.output" dev=dm-1 ino=1711405 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file

type=SYSCALL msg=audit(1445266684.536:1061): arch=x86_64 syscall=execve success=yes exit=0 a0=984aa0 a1=983470 a2=983140 a3=38 items=0 ppid=2893 pid=20151 auid=4294967295 uid=495 gid=494 euid=495 suid=495 fsuid=495 egid=494 sgid=494 fsgid=494 tty=(none) ses=4294967295 comm=sendmail exe=/usr/sbin/sendmail.postfix subj=system_u:system_r:system_mail_t:s0 key=(null)

Actions

Copy link

Updated by Lukas Zapletal over 8 years ago

Category deleted (~~General Foreman~~)

This is file descriptor leak in foreman-tasks / daemons gem. It redirects STDOUT/STDERR in this file, so when we change the SELinux domain it is prevented from appending there. We should either log to a safe directory, or better output should be sent to syslog/journald (a patch for daemons gem is needed for that).

Actions

Copy link