Bug #19005
closed
AVCs as Foreman fails to transition to passenger_t on Fedora 24
Description
This is my first time installing TheForeman, and I'm trying to install it on a brand new Fedora 24 Server VM. I've followed the instructions in the quick start guide, and after running the installer, it fails when it gets to the smart proxy. If I disabled the proxy through the interactive installation, it the installation completes, but the site still does not load.
This is the error that is dumped out during installation :
/Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.testdomain.com]: Could not evaluate: Proxy foreman.testdomain.com cannot be retrieved: unknown error (response 500)
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:7:in `proxy'
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:13:in `id'
/usr/share/foreman-installer/modules/foreman/lib/puppet/provider/foreman_smartproxy/rest_v3.rb:17:in `exists?'
/usr/share/ruby/vendor_ruby/puppet/property/ensure.rb:81:in `retrieve'
/usr/share/ruby/vendor_ruby/puppet/type.rb:1043:in `retrieve'
/usr/share/ruby/vendor_ruby/puppet/type.rb:1071:in `retrieve_resource'
/usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:241:in `from_resource'
/usr/share/ruby/vendor_ruby/puppet/transaction/resource_harness.rb:19:in `evaluate'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:204:in `apply'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:220:in `eval_resource'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `call'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `block (2 levels) in evaluate'
/usr/share/ruby/vendor_ruby/puppet/util.rb:292:in `block in thinmark'
/usr/share/ruby/benchmark.rb:308:in `realtime'
/usr/share/ruby/vendor_ruby/puppet/util.rb:291:in `thinmark'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:147:in `block in evaluate'
/usr/share/ruby/vendor_ruby/puppet/graph/relationship_graph.rb:118:in `traverse'
/usr/share/ruby/vendor_ruby/puppet/transaction.rb:138:in `evaluate'
/usr/share/gems/gems/kafo-1.0.5/modules/kafo_configure/lib/puppet/parser/functions/add_progress.rb:30:in `evaluate_with_trigger'
/usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:178:in `block in apply'
/usr/share/ruby/vendor_ruby/puppet/util/log.rb:153:in `with_destination'
/usr/share/ruby/vendor_ruby/puppet/transaction/report.rb:107:in `as_logging_destination'
/usr/share/ruby/vendor_ruby/puppet/resource/catalog.rb:177:in `apply'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:119:in `block in apply_catalog'
/usr/share/ruby/vendor_ruby/puppet/util.rb:129:in `block in benchmark'
/usr/share/ruby/benchmark.rb:308:in `realtime'
/usr/share/ruby/vendor_ruby/puppet/util.rb:128:in `benchmark'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:118:in `apply_catalog'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:228:in `run_internal'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:134:in `block in run'
/usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override'
/usr/share/ruby/vendor_ruby/puppet.rb:223:in `override'
/usr/share/ruby/vendor_ruby/puppet/configurer.rb:133:in `run'
/usr/share/ruby/vendor_ruby/puppet/application/apply.rb:343:in `apply_catalog'
/usr/share/ruby/vendor_ruby/puppet/application/apply.rb:274:in `block in main'
/usr/share/ruby/vendor_ruby/puppet/context.rb:64:in `override'
/usr/share/ruby/vendor_ruby/puppet.rb:223:in `override'
/usr/share/ruby/vendor_ruby/puppet/application/apply.rb:225:in `main'
/usr/share/ruby/vendor_ruby/puppet/application/apply.rb:170:in `run_command'
/usr/share/ruby/vendor_ruby/puppet/application.rb:344:in `block in run'
/usr/share/ruby/vendor_ruby/puppet/util.rb:446:in `exit_on_fail'
/usr/share/ruby/vendor_ruby/puppet/application.rb:344:in `run'
/usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:128:in `run'
/usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:72:in `execute'
/usr/bin/puppet:5:in `<main>'
I've shut down the firewall completelely, and set SELinux to permissive and it still won't load. When I try disabling the smart proxy and then going to the website, that fails to load as well:
@
We're sorry, but something went wrong.
We've been notified about this issue and we'll take a look at it shortly.
@
In the error_log file I see this error:
[ 2017-03-23 10:45:16.7380 6922/7f88bb7fe700 age/Cor/Con/CheckoutSession.cpp:285 ]: [Client 2-163] Cannot checkout session because a spawning error occurred. The identifier of the error is 4bca0174. Please see earlier logs for details a$ rb_sysopen - /usr/share/foreman/tmp/cache/websockets_ssl_key20170323-18202-2tmgp6 (Errno::EACCES)
App 18202 stdout:
App 18202 stderr: [passenger_native_support.so] trying to compile for the current user (foreman) and Ruby interpreter...
App 18202 stderr:
App 18202 stderr: (set PASSENGER_COMPILE_NATIVE_SUPPORT_BINARY=0 to disable)
App 18202 stderr:
App 18202 stderr: Warning: compilation didn't succeed. To learn why, read this file:
App 18202 stderr:
App 18202 stderr: /tmp/passenger_native_support-nbait3.log
App 18202 stderr:
App 18202 stderr: [passenger_native_support.so] not downloading because passenger wasn't installed from a release package
App 18202 stderr:
App 18202 stderr: [passenger_native_support.so] will not be used (can't compile or download)
App 18202 stderr:
App 18202 stderr: --> Passenger will still operate normally.
App 18202 stderr:
App 18202 stderr: Log file /usr/share/foreman/log/production.log cannot be opened. Falling back to STDOUT
App 18202 stderr:
App 18202 stdout: WARN root : No appender set, logging to STDOUT
App 18202 stdout:
[ 2017-03-23 10:45:19.6900 6922/7f88c83ba700 age/Cor/App/Implementation.cpp:304 ]: Could not spawn process for application /usr/share/foreman: An error occurred while starting up the preloader.
Error ID: 659b0dc9
Error details saved to: /tmp/passenger-error-QQAXxX.html
Message from application: Permission denied
/usr/share/ruby/tempfile.rb:133:in `initialize'
/usr/share/ruby/tempfile.rb:133:in `open'
/usr/share/ruby/tempfile.rb:133:in `block in initialize'
/usr/share/ruby/tmpdir.rb:130:in `create'
/usr/share/ruby/tempfile.rb:131:in `initialize'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/core_ext/file/atomic.rb:21:in `new'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/core_ext/file/atomic.rb:21:in `atomic_write'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache/file_store.rb:83:in `write_entry'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache/strategy/local_cache.rb:115:in `write_entry'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache.rb:391:in `block in write'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache.rb:547:in `block in instrument'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/notifications.rb:166:in `instrument'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache.rb:547:in `instrument'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/cache.rb:389:in `write'
/usr/share/foreman/app/models/setting.rb:87:in `[]'
/usr/share/foreman/app/models/setting/auth.rb:55:in `validate_websockets_encrypt'
/usr/share/foreman/app/models/setting.rb:24:in `validate'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:455:in `public_send'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:455:in `block in make_lambda'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:182:in `block in conditional'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:504:in `block in call'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:504:in `each'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:504:in `call'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:92:in `__run_callbacks__'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:778:in `_run_validate_callbacks'
/usr/share/gems/gems/activemodel-4.2.5.2/lib/active_model/validations.rb:399:in `run_validations!'
/usr/share/gems/gems/activemodel-4.2.5.2/lib/active_model/validations/callbacks.rb:113:in `block in run_validations!'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:117:in `call'
/usr/share/gems/gems/activemodel-4.2.5.2/lib/active_model/validations/callbacks.rb:113:in `block in run_validations!'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:117:in `call'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:555:in `block (2 levels) in compile'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:505:in `call'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:92:in `__run_callbacks__'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/callbacks.rb:778:in `_run_validation_callbacks'
/usr/share/gems/gems/activemodel-4.2.5.2/lib/active_model/validations/callbacks.rb:113:in `run_validations!'
/usr/share/gems/gems/activemodel-4.2.5.2/lib/active_model/validations.rb:338:in `valid?'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/validations.rb:58:in `valid?'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/validations.rb:83:in `perform_validations'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/validations.rb:37:in `save'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/attribute_methods/dirty.rb:21:in `save'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:286:in `block (2 levels) in save'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/connection_adapters/abstract/database_statements.rb:211:in `transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:220:in `transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:348:in `with_transaction_returning_status'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:286:in `block in save'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:301:in `rollback_active_record_state!'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:285:in `save'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/persistence.rb:252:in `block in update'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:351:in `block in with_transaction_returning_status'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/connection_adapters/abstract/database_statements.rb:211:in `transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:220:in `transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:348:in `with_transaction_returning_status'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/persistence.rb:250:in `update'
/usr/share/foreman/app/models/setting.rb:228:in `block in create_existing'
/usr/share/foreman/app/models/setting.rb:244:in `bypass_readonly'
/usr/share/foreman/app/models/setting.rb:224:in `create_existing'
/usr/share/foreman/app/models/setting.rb:203:in `create!'
/usr/share/foreman/app/models/setting/auth.rb:38:in `block (2 levels) in load_defaults'
/usr/share/foreman/app/models/setting/auth.rb:38:in `each'
/usr/share/foreman/app/models/setting/auth.rb:38:in `block in load_defaults'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `block in transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/connection_adapters/abstract/transaction.rb:184:in `within_new_transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/connection_adapters/abstract/database_statements.rb:213:in `transaction'
/usr/share/gems/gems/activerecord-4.2.5.2/lib/active_record/transactions.rb:220:in `transaction'
/usr/share/foreman/app/models/setting/auth.rb:13:in `load_defaults'
/usr/share/foreman/config/initializers/foreman.rb:25:in `each'
/usr/share/foreman/config/initializers/foreman.rb:25:in `<top (required)>'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/dependencies.rb:268:in `load'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/dependencies.rb:268:in `block in load'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/dependencies.rb:240:in `load_dependency'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/dependencies.rb:268:in `load'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/engine.rb:652:in `block in load_config_initializer'
/usr/share/gems/gems/activesupport-4.2.5.2/lib/active_support/notifications.rb:166:in `instrument'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/engine.rb:651:in `load_config_initializer'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/engine.rb:616:in `block (2 levels) in <class:Engine>'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/engine.rb:615:in `each'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/engine.rb:615:in `block in <class:Engine>'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:30:in `instance_exec'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:30:in `run'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:55:in `block in run_initializers'
/usr/share/ruby/tsort.rb:228:in `block in tsort_each'
/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component'
/usr/share/ruby/tsort.rb:422:in `block (2 levels) in each_strongly_connected_component_from'
/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from'
/usr/share/ruby/tsort.rb:421:in `block in each_strongly_connected_component_from'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:44:in `each'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:44:in `tsort_each_child'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:44:in `each'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:44:in `tsort_each_child'
/usr/share/ruby/tsort.rb:415:in `call'
/usr/share/ruby/tsort.rb:415:in `each_strongly_connected_component_from'
/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component'
/usr/share/ruby/tsort.rb:347:in `each'
/usr/share/ruby/tsort.rb:347:in `call'
/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component'
/usr/share/ruby/tsort.rb:226:in `tsort_each'
/usr/share/ruby/tsort.rb:205:in `tsort_each'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/initializable.rb:54:in `run_initializers'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/application.rb:352:in `initialize!'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/railtie.rb:194:in `public_send'
/usr/share/gems/gems/railties-4.2.5.2/lib/rails/railtie.rb:194:in `method_missing'
/usr/share/foreman/config/environment.rb:5:in `<top (required)>'
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
config.ru:3:in `block in <main>'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `instance_eval'
/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `initialize'
config.ru:1:in `new'
config.ru:1:in `<main>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:110:in `eval'
/usr/share/passenger/helper-scripts/rack-preloader.rb:110:in `preload_app'
/usr/share/passenger/helper-scripts/rack-preloader.rb:156:in `<module:App>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:30:in `<module:PhusionPassenger>'
/usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<main>'
[ 2017-03-23 10:45:19.7070 6922/7f88bbfff700 age/Cor/Con/CheckoutSession.cpp:285 ]: [Client 1-164] Cannot checkout session because a spawning error occurred. The identifier of the error is 659b0dc9. Please see earlier logs for details a$
@
We're completely stuck here. I've tried a few different flavors of OS (Server/Workstation). It's been a huge pain.
Updated by Jonathan Mulcahy about 7 years ago
- Priority changed from Normal to High
Updated by Dominic Cleal about 7 years ago
- Status changed from New to Need more information
Message from application: Permission denied rb_sysopen - /usr/share/foreman/tmp/cache/websockets_ssl_key20170323-18202-2tmgp6 (Errno::EACCES) suggests that there may be an SELinux denial - check for AVCs and upload AVC/audit logs if you have any.
Otherwise perhaps the app is running as the wrong user (~foreman/config.ru should be owned by foreman).
Updated by Jonathan Mulcahy about 7 years ago
Dominic Cleal wrote:
Message from application: Permission denied rb_sysopen - /usr/share/foreman/tmp/cache/websockets_ssl_key20170323-18202-2tmgp6 (Errno::EACCES)suggests that there may be an SELinux denial - check for AVCs and upload AVC/audit logs if you have any.Otherwise perhaps the app is running as the wrong user (~foreman/config.ru should be owned by
foreman).
Hi Dominic,
Thanks for the quick reply! Very much appreciated.
It looks like config.ru is owned by foreman:rw-r--r-. 1 foreman foreman 344 Mar 2 04:13 config.ru
I saw a bunch of AVC Denied entries in the audit.log. I'm not sure how to get the entire line through putty, so they are truncated at the end
type=AVC msg=audit(1490283147.302:243): avc: denied { create } for pid=1214 comm="ruby-mri" name=".passenger" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283147.302:244): avc: denied { create } for pid=1214 comm="ruby-mri" name=".permission_test" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
type=AVC msg=audit(1490283147.303:245): avc: denied { write } for pid=1214 comm="ruby-mri" path="/usr/share/foreman/.passenger/native_support/5.0.26/ruby-2.3.3-x86_64-linux/.permission_test" dev="dm-0" ino=1498102 scontext=system_u:s$
type=AVC msg=audit(1490283147.303:246): avc: denied { unlink } for pid=1214 comm="ruby-mri" name=".permission_test" dev="dm-0" ino=1498102 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissi$
type=AVC msg=audit(1490283149.119:247): avc: denied { write } for pid=1235 comm="ruby-mri" name="puppet" dev="dm-0" ino=17646413 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir permissi$
type=AVC msg=audit(1490283149.119:248): avc: denied { add_name } for pid=1235 comm="ruby-mri" name=".passenger" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283149.119:249): avc: denied { create } for pid=1235 comm="ruby-mri" name=".passenger" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283149.119:250): avc: denied { create } for pid=1235 comm="ruby-mri" name=".permission_test" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1490283149.119:251): avc: denied { write } for pid=1235 comm="ruby-mri" path="/var/lib/puppet/.passenger/native_support/5.0.26/ruby-2.3.3-x86_64-linux/.permission_test" dev="dm-0" ino=1498103 scontext=system_u:syst$
type=AVC msg=audit(1490283149.119:252): avc: denied { remove_name } for pid=1235 comm="ruby-mri" name=".permission_test" dev="dm-0" ino=1498103 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tcla$
type=AVC msg=audit(1490283149.119:253): avc: denied { unlink } for pid=1235 comm="ruby-mri" name=".permission_test" dev="dm-0" ino=1498103 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=fi$
type=AVC msg=audit(1490283149.911:254): avc: denied { read } for pid=1235 comm="ruby-mri" name="modules" dev="dm-0" ino=25464992 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283150.810:255): avc: denied { write } for pid=1235 comm="ruby-mri" name="puppet" dev="dm-0" ino=25513626 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283150.810:256): avc: denied { add_name } for pid=1235 comm="ruby-mri" name="masterhttp.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283150.810:257): avc: denied { create } for pid=1235 comm="ruby-mri" name="masterhttp.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1490283150.811:258): avc: denied { write open } for pid=1235 comm="ruby-mri" path="/var/log/puppet/masterhttp.log" dev="dm-0" ino=25643465 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_log$
type=AVC msg=audit(1490283150.815:259): avc: denied { relabelfrom } for pid=1235 comm="ruby-mri" name="yaml" dev="dm-0" ino=10056981 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir $
type=AVC msg=audit(1490283150.815:260): avc: denied { relabelto } for pid=1235 comm="ruby-mri" name="yaml" dev="dm-0" ino=10056981 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir permis$
type=AVC msg=audit(1490283150.937:261): avc: denied { relabelfrom } for pid=1235 comm="ruby-mri" name="ca_crt.pem" dev="dm-0" ino=10098407 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclas$
type=AVC msg=audit(1490283150.938:262): avc: denied { relabelto } for pid=1235 comm="ruby-mri" name="ca_crt.pem" dev="dm-0" ino=10098407 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file$
type=AVC msg=audit(1490283150.940:263): avc: denied { setattr } for pid=1235 comm="ruby-mri" name="ca_key.pem" dev="dm-0" ino=10098403 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=fi$
type=AVC msg=audit(1490283151.348:264): avc: denied { fowner } for pid=1259 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1490283151.348:265): avc: denied { fsetid } for pid=1259 comm="chmod" capability=4 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1490283151.512:266): avc: denied { execute } for pid=1277 comm="utils.rb:110" name="node.rb" dev="dm-0" ino=415398 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file permi$
type=AVC msg=audit(1490283151.512:267): avc: denied { read open } for pid=1277 comm="utils.rb:110" path="/etc/puppet/node.rb" dev="dm-0" ino=415398 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tcl$
type=AVC msg=audit(1490283151.512:268): avc: denied { execute_no_trans } for pid=1277 comm="utils.rb:110" path="/etc/puppet/node.rb" dev="dm-0" ino=415398 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_enc_t$
type=AVC msg=audit(1490283151.563:269): avc: denied { getattr } for pid=1277 comm="ruby-mri" path="/etc/puppet/node.rb" dev="dm-0" ino=415398 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=fi$
type=AVC msg=audit(1490283151.564:270): avc: denied { ioctl } for pid=1277 comm="ruby-mri" path="/etc/puppet/node.rb" dev="dm-0" ino=415398 ioctlcmd=5401 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_enc_t:$
type=AVC msg=audit(1490283153.783:271): avc: denied { write } for pid=1214 comm="ruby-mri" name="production.log" dev="dm-0" ino=9986957 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:foreman_log_t:s0 tclass=file$
type=AVC msg=audit(1490283153.783:272): avc: denied { open } for pid=1214 comm="ruby-mri" path="/var/log/foreman/production.log" dev="dm-0" ino=9986957 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:foreman_log_$
type=AVC msg=audit(1490283156.002:273): avc: denied { write } for pid=1214 comm="ruby-mri" name="foreman" dev="tmpfs" ino=17514 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissi$
type=AVC msg=audit(1490283156.002:274): avc: denied { add_name } for pid=1214 comm="ruby-mri" name="cache" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283156.002:275): avc: denied { create } for pid=1214 comm="ruby-mri" name="cache" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283156.002:276): avc: denied { create } for pid=1214 comm="ruby-mri" name="entries_per_page20170323-1214-1dmovs3" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=fil$
type=AVC msg=audit(1490283156.002:277): avc: denied { read write open } for pid=1214 comm="ruby-mri" path="/run/foreman/cache/entries_per_page20170323-1214-1dmovs3" dev="tmpfs" ino=24218 scontext=system_u:system_r:httpd_t:s0 tcontext$
type=AVC msg=audit(1490283156.002:278): avc: denied { ioctl } for pid=1214 comm="ruby-mri" path="/run/foreman/cache/entries_per_page20170323-1214-1dmovs3" dev="tmpfs" ino=24218 ioctlcmd=5401 scontext=system_u:system_r:httpd_t:s0 tcon$
type=AVC msg=audit(1490283156.006:279): avc: denied { append } for pid=1214 comm="ruby-mri" path="/run/foreman/cache/69D/EC0/.permissions_check.47229507416340.1214.316830" dev="tmpfs" ino=24759 scontext=system_u:system_r:httpd_t:s0 t$
type=AVC msg=audit(1490283156.006:280): avc: denied { remove_name } for pid=1214 comm="ruby-mri" name=".permissions_check.47229507416340.1214.316830" dev="tmpfs" ino=24759 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:objec$
type=AVC msg=audit(1490283156.006:281): avc: denied { unlink } for pid=1214 comm="ruby-mri" name=".permissions_check.47229507416340.1214.316830" dev="tmpfs" ino=24759 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:f$
type=AVC msg=audit(1490283156.006:282): avc: denied { rename } for pid=1214 comm="ruby-mri" name="entries_per_page20170323-1214-1dmovs3" dev="tmpfs" ino=24218 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_v$
type=AVC msg=audit(1490283156.006:283): avc: denied { setattr } for pid=1214 comm="ruby-mri" name="entries_per_page" dev="tmpfs" ino=24218 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=f$
type=SERVICE_STOP msg=audit(1490283156.944:284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=NetworkManager-dispatcher comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? $
type=AVC msg=audit(1490283156.957:285): avc: denied { read } for pid=1214 comm="ruby-mri" name="EC0" dev="tmpfs" ino=24217 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1490283156.957:286): avc: denied { rmdir } for pid=1214 comm="ruby-mri" name="EC0" dev="tmpfs" ino=24217 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=USER_AVC msg=audit(1490283170.085:287): pid=774 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.14 spid=875 tpid=1489 scon$
type=AVC msg=audit(1490283170.603:288): avc: denied { rmdir } for pid=1268 comm="utils.rb:110" name="foreman.smartpakequine.com.yaml20170323-1263-1qxae8.lock" dev="dm-0" ino=10094761 scontext=system_u:system_r:httpd_t:s0 tcontext=sys$
type=AVC msg=audit(1490283170.603:289): avc: denied { setattr } for pid=1268 comm="utils.rb:110" name="foreman.smartpakequine.com.yaml20170323-1263-1qxae8" dev="dm-0" ino=1498104 scontext=system_u:system_r:httpd_t:s0 tcontext=system_$
type=AVC msg=audit(1490283170.609:290): avc: denied { rename } for pid=1268 comm="utils.rb:110" name="foreman.smartpakequine.com.yaml20170323-1263-1qxae8" dev="dm-0" ino=1498104 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u$
type=AVC msg=audit(1490283170.603:289): avc: denied { setattr } for pid=1268 comm="utils.rb:110" name="foreman.smartpakequine.com.yaml20170323-1263-1qxae8" dev="dm-0" ino=1498104 scontext=system_u:system_r:httpd_t:s0 tcontext=system_$
type=AVC msg=audit(1490283170.609:290): avc: denied { rename } for pid=1268 comm="utils.rb:110" name="foreman.smartpakequine.com.yaml20170323-1263-1qxae8" dev="dm-0" ino=1498104 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u$
type=SERVICE_STOP msg=audit(1490283173.833:291): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=succ$
type=SERVICE_STOP msg=audit(1490283204.083:292): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rolekit comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1490283210.033:293): pid=1627 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:3a:44:82:8f:35:d4:d7:5e:a8:35:37:36:90:a3:d6:74:52:bc:2$
type=CRYPTO_KEY_USER msg=audit(1490283210.033:294): pid=1627 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:56:92:48:83:8a:ea:88:b7:55:e8:79:6b:5a:99:bb:10:31:2d:9$
type=CRYPTO_KEY_USER msg=audit(1490283210.033:295): pid=1627 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0b:60:10:0c:1d:c6:88:89:25:1c:96:ee:81:80:f9:ed:47:3e:d$
type=CRYPTO_SESSION msg=audit(1490283210.035:296): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-h$
type=CRYPTO_SESSION msg=audit(1490283210.035:297): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha2-256 pfs=diffie-h$
type=USER_AUTH msg=audit(1490283215.102:298): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=172.16.1.156$
type=USER_ACCT msg=audit(1490283215.104:299): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/sbin/sshd" hostname=17$
type=CRYPTO_KEY_USER msg=audit(1490283215.106:300): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1627 suid=74 rport=4678 laddr=172.16.0.$
type=USER_AUTH msg=audit(1490283215.106:301): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=172.16.1.156 terminal=ssh res=succ$
type=CRED_ACQ msg=audit(1490283215.107:302): pid=1626 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=172.16.1.156 addr=17$
type=LOGIN msg=audit(1490283215.107:303): pid=1626 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=1 res=1
type=USER_ROLE_CHANGE msg=audit(1490283215.157:304): pid=1626 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:$
type=USER_AVC msg=audit(1490283215.165:305): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1490283215.167:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1490283215.189:307): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1490283215.191:308): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='Unknown permission start for class system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_ACCT msg=audit(1490283215.197:309): pid=1632 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/lib/systemd/systemd" hostname=? ad$
type=USER_ROLE_CHANGE msg=audit(1490283215.233:310): pid=1632 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfi$
type=USER_START msg=audit(1490283215.235:311): pid=1632 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="ro$
type=SERVICE_START msg=audit(1490283215.278:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1490283215.281:313): pid=1626 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_lim$
type=CRYPTO_KEY_USER msg=audit(1490283215.282:314): pid=1645 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:3a:44:82:8f:35:d4:d7:5e:a8:35:37:36:90:a3:d6:74:52:bc:22:e7:be:22:a3:c7:1$
type=CRYPTO_KEY_USER msg=audit(1490283215.282:315): pid=1645 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:56:92:48:83:8a:ea:88:b7:55:e8:79:6b:5a:99:bb:10:31:2d:97:8f:d6:5e:18:7d:0$
type=CRYPTO_KEY_USER msg=audit(1490283215.282:316): pid=1645 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0b:60:10:0c:1d:c6:88:89:25:1c:96:ee:81:80:f9:ed:47:3e:da:32:f9:84:44:19:3$
type=CRED_ACQ msg=audit(1490283215.283:317): pid=1645 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/sbin/sshd" hostname=172.16.1.156 addr=172.16.1.156 termina$
type=USER_LOGIN msg=audit(1490283215.336:318): pid=1626 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=172.16.1.156 addr=172.16.1.156 terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1490283215.336:319): pid=1626 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=172.16.1.156 addr=172.16.1.156 terminal=/dev/pts/0 res=success'
type=CRYPTO_KEY_USER msg=audit(1490283215.337:320): pid=1626 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:0b:60:10:0c:1d:c6:88:89:25:1c:96:ee:81:80:f9:ed:47:3e:da:32:f9:84:44:19:3$
Updated by Dominic Cleal about 7 years ago
- Project changed from Foreman to SELinux
- Subject changed from Unable to install Foreman_smartproxy on fresh Fedora 24 Server machine to AVCs as Foreman fails to transition to passenger_t on Fedora 24
- Category set to General Foreman
- Status changed from Need more information to New
- Priority changed from High to Normal
The logs indicate that Foreman's running in the domain httpd_t rather than passenger_t, so the foreman-selinux policy's going to be mostly inactive.
The bug could be incorrect labelling of Passenger binaries to enable the domain transition, or similar (possibly a bug in Fedora's own policy rather than Foreman's).
It may be useful to add the Passenger version (rpm -q passenger) for the record.
To run Foreman in the meantime, disable SELinux.
Updated by Jonathan Mulcahy about 7 years ago
Dominic Cleal wrote:
The logs indicate that Foreman's running in the domain httpd_t rather than passenger_t, so the foreman-selinux policy's going to be mostly inactive.
The bug could be incorrect labelling of Passenger binaries to enable the domain transition, or similar (possibly a bug in Fedora's own policy rather than Foreman's).
It may be useful to add the Passenger version (
rpm -q passenger) for the record.To run Foreman in the meantime, disable SELinux.
Hey Dominic
Here's the version of Passenger:
passenger-5.0.26-2.fc24.x86_64
In the meantime, I've rebooted the box, disabled the firewall and then stopped the firewall, enabled the proxy and reran the installer. After doing that it came up.
Are there any other logs you'd like? If you want to reproduce it, it's pretty easy, download a Fedora 24 and setup a new machine, it happened all 3 times I started over.
Updated by Dominic Cleal about 7 years ago
I don't think any further logs are required, the information in the last was enough to triage it for me.
Updated by Lukas Kallies about 6 years ago
I had a similar issue and the problem was that PassengerWatchdog wasn't switching to passenger_t and stayed on httpd_t. The reslution was setting
setsebool -P httpd_run_stickshift 0(it has been enabled before by a Puppet module which has been assigend by accident).
Updated by Lukas Zapletal almost 4 years ago
- Status changed from New to Rejected
I am doing a cleanup of old SELinux bug reports. We are removing puppetmaster policy based on passenger_t, most of these bugs were related to that.