Project

General

Profile

Actions
Copy link

Bug #2896

closed

selinux denials on F19

Added by Ben Breard over 10 years ago. Updated over 10 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
General Foreman
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

F19 kickstarted with:
%packages
@core
@standard

and updated as of Aug 7th gets the following avc denied messages. I can install the selinux troubleshooting packages and provide more info if needed.

cat audit.log |grep denied

type=AVC msg=audit(1375904966.857:754): avc: denied { search } for pid=15797 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904967.126:755): avc: denied { search } for pid=15797 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904968.343:757): avc: denied { search } for pid=15839 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904968.347:758): avc: denied { name_connect } for pid=15797 comm="httpd" dest=8140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1375904969.414:761): avc: denied { search } for pid=15842 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904970.075:762): avc: denied { search } for pid=15842 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904971.109:764): avc: denied { search } for pid=15857 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904971.212:765): avc: denied { search } for pid=15867 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375904971.217:766): avc: denied { name_connect } for pid=15842 comm="httpd" dest=8140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1375904971.252:767): avc: denied { search } for pid=15842 comm="httpd" name="puppet" dev="sda3" ino=2753786 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375906369.960:795): avc: denied { getattr } for pid=16143 comm="httpd" path="/etc/puppet/rack/public" dev="sda3" ino=2753244 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375906370.070:796): avc: denied { name_connect } for pid=15842 comm="httpd" dest=8140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1375906372.063:799): avc: denied { getattr } for pid=16152 comm="ruby-mri" path="socket:[41989]" dev="sockfs" ino=41989 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1375906372.065:800): avc: denied { ioctl } for pid=16152 comm="ruby-mri" path="socket:[41989]" dev="sockfs" ino=41989 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1375906378.711:802): avc: denied { getattr } for pid=16189 comm="ruby-mri" path="/etc/puppet/puppet.conf" dev="sda3" ino=2753237 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1375906379.245:803): avc: denied { read } for pid=16199 comm="ruby-mri" name="puppet.conf" dev="sda3" ino=2753237 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1375906379.245:803): avc: denied { open } for pid=16199 comm="ruby-mri" path="/etc/puppet/puppet.conf" dev="sda3" ino=2753237 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1375906379.245:804): avc: denied { ioctl } for pid=16199 comm="ruby-mri" path="/etc/puppet/puppet.conf" dev="sda3" ino=2753237 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1375906379.248:805): avc: denied { getattr } for pid=16199 comm="ruby-mri" path="/etc/puppet/environments/production/modules" dev="sda3" ino=2753252 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375906379.248:806): avc: denied { read } for pid=16199 comm="ruby-mri" name="modules" dev="sda3" ino=2753252 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
type=AVC msg=audit(1375906379.248:806): avc: denied { open } for pid=16199 comm="ruby-mri" path="/etc/puppet/environments/production/modules" dev="sda3" ino=2753252 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir

Cheers,
-Ben

Actions
Copy link
 #1

Updated by Lukas Zapletal over 10 years ago

  • Status changed from New to Rejected

Hello,

thanks for the report. This is not a bug in Foreman, but in Puppet (master). They both start in mod_passenger I assume in your setup.

This has been fixed already in Rawhide: https://bugzilla.redhat.com/show_bug.cgi?id=848939

LZ

Actions
Copy link

Also available in: Atom PDF