Bug #3465

AVC denials with Foreman 1.3 on RHEL 6

Added by Jan Pazdziora about 4 years ago. Updated over 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Lukas Zapletal
Category:Packaging
Target version:Foreman - Sprint 20
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.5.0Release relationshipAuto

Description

A fresh installation of Foreman from http://yum.theforeman.org/releases/1.3/el6/$basearch on RHEL 6.4 gives the following AVC denials:

type=AVC msg=audit(1382419667.548:274): avc:  denied  { search } for  pid=15804 comm="ruby" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { read } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { open } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.549:275): avc:  denied  { read } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:275): avc:  denied  { open } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:276): avc:  denied  { getattr } for  pid=15804 comm="ruby" path="/sys/devices/system/node/node0/meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.551:277): avc:  denied  { read } for  pid=15804 comm="ruby" name="random" dev=devtmpfs ino=3702 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

or to show it with macros,

dev_list_sysfs(passenger_t)
dev_read_rand(passenger_t)
dev_read_sysfs(passenger_t)

The only passenger booleans I can see are both on:

# getsebool -a | grep passenger
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

Related issues

Related to SELinux - Bug #3895: AVC denials from Foreman 1.3 installation Resolved 12/17/2013
Duplicated by SELinux - Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=... Duplicate 02/26/2014

Associated revisions

Revision 2f43f947
Added by Lukas Zapletal over 3 years ago

fixes #3465 - passanger spawns /bin/ps

History

#1 Updated by Dominic Cleal about 4 years ago

  • Project changed from Foreman to SELinux

Does the Foreman app function?

#2 Updated by Jan Pazdziora about 4 years ago

Dominic Cleal wrote:

Does the Foreman app function?

The WebUI seems to function but I really only do the basic login / logout things at this point. I have no idea thou if the AVC denials affect for example the facts gathered about the Foreman machine itself, or something similar.

#3 Updated by Dominic Cleal about 4 years ago

  • Priority changed from High to Normal

Thanks, I suspect this is coming from some of the Passenger memory monitoring.

#4 Updated by Lukas Zapletal about 4 years ago

That looks like it, it runs once a day/week or something like that.

#5 Updated by Jan Pazdziora about 4 years ago

In any case, I'd expect no AVC denials to be logged for vanilla installations with no custom modifications.

#6 Updated by Dominic Cleal about 4 years ago

Definitely, it's a valid bug :)

#7 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #3895: AVC denials from Foreman 1.3 installation added

#8 Updated by Dominic Cleal over 3 years ago

  • Duplicated by Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file added

#9 Updated by Lukas Zapletal over 3 years ago

  • Category set to Packaging
  • Status changed from New to Ready For Testing
  • Assigned To set to Lukas Zapletal
  • Target version set to Sprint 20

#10 Updated by Dominic Cleal over 3 years ago

  • Release set to 1.5.0

#11 Updated by Anonymous over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF