Bug #3465
closed
AVC denials with Foreman 1.3 on RHEL 6
Description
A fresh installation of Foreman from http://yum.theforeman.org/releases/1.3/el6/$basearch on RHEL 6.4 gives the following AVC denials:
type=AVC msg=audit(1382419667.548:274): avc: denied { search } for pid=15804 comm="ruby" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc: denied { read } for pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc: denied { open } for pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.549:275): avc: denied { read } for pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:275): avc: denied { open } for pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:276): avc: denied { getattr } for pid=15804 comm="ruby" path="/sys/devices/system/node/node0/meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.551:277): avc: denied { read } for pid=15804 comm="ruby" name="random" dev=devtmpfs ino=3702 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
or to show it with macros,
dev_list_sysfs(passenger_t) dev_read_rand(passenger_t) dev_read_sysfs(passenger_t)
The only passenger booleans I can see are both on:
# getsebool -a | grep passenger passenger_run_foreman --> on passenger_run_puppetmaster --> on
Updated by Dominic Cleal over 11 years ago
- Project changed from Foreman to SELinux
Does the Foreman app function?
Updated by Jan Pazdziora over 11 years ago
Dominic Cleal wrote:
Does the Foreman app function?
The WebUI seems to function but I really only do the basic login / logout things at this point. I have no idea thou if the AVC denials affect for example the facts gathered about the Foreman machine itself, or something similar.
Updated by Dominic Cleal over 11 years ago
- Priority changed from High to Normal
Thanks, I suspect this is coming from some of the Passenger memory monitoring.
Updated by Lukas Zapletal over 11 years ago
That looks like it, it runs once a day/week or something like that.
Updated by Jan Pazdziora over 11 years ago
In any case, I'd expect no AVC denials to be logged for vanilla installations with no custom modifications.
Updated by Dominic Cleal about 11 years ago
- Related to Bug #3895: AVC denials from Foreman 1.3 installation added
Updated by Dominic Cleal almost 11 years ago
- Has duplicate Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file added
Updated by Lukas Zapletal almost 11 years ago
- Category set to Packaging
- Status changed from New to Ready For Testing
- Assignee set to Lukas Zapletal
- Target version set to 1.9.1
Updated by Dominic Cleal almost 11 years ago
- Translation missing: en.field_release set to 4
Updated by Anonymous almost 11 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 2f43f94780297adc18eb9b4b3eecf5c2f5aa6de6.