Foreman » SELinux

which is prevented by SELinux. This has something to do with selinux users and RHEL6. Discussion is here:

14:56    lzap | dwalsh: https://gist.github.com/lzap/b2c29cd20da2a0d95459
14:57    lzap | dwalsh: mirek told me the other day I see relabelto because the process is touching xattrs most likely. whatever, I'd like to allow that, but
              | my rules do not apply for some reason
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14:58  dwalsh | lzap, You are relabeling a file to system_u:...  You are running as unconfined_u.  THere is a constraint that says you are not allowed to do
              | this unless you have a certain attribute.
14:58  dwalsh | scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0
14:58  dwalsh | Is passenger_t doing a setfilecon?
15:00  dwalsh | lzap, It looks like you ran passenger from an unconfined_u user,
15:00    lzap | oh
15:00    lzap | like started it from shell right?
15:01  dwalsh | lzap, I would not have a problem doing it.  We really do not enforce on user part of the label.
15:01  dwalsh | Did you do a runcon to get the service to start?
15:01    lzap | it was puppet who started that
15:01    lzap | puppet agent
15:01    lzap | but puppet stareted from openstack installer
15:01    lzap | and that was obviously started as root
15:02    lzap | but I'd expect when I'd do service start it would start normally
15:02    lzap | puppet is doing: service httpd start
15:02  dwalsh | is this RHEL6?
15:02    lzap | yes
15:02    lzap | 6.54
15:02    lzap | 6.5
15:03  dwalsh | Well puppet must have been running as unconfined_u which means someone restarted it.
15:03  dwalsh | In RHEL7 this would not be a problem because services would be started via systemd, which would be running as system_u.
15:04  dwalsh | domain_subj_id_change_exemption(passenger_t) would fix the problem. 
15:04  dwalsh | Most of the time passenger_t would run as system_u, since it would be started at boot time.  But if a user did a service restart, then I guess
              | this could happen.
15:05    lzap | so you are telling me that all services which are running under RHEL6 and are confined can go wrong as soon as root restarts them from a shell?
15:06  dwalsh | No only services that attempt to do built in SELinux calls.
15:06  dwalsh | Puppet must be doing a setfiles() call to change the label.
15:07    lzap | ok I will investigate this, but I'd not expect this there
15:07    lzap | it's a ruby app without any selinux support
15:07    lzap | I mean the upstream code
15:07    lzap | and I am not aware of any special handling in our startup scripts or something
15:08  dwalsh | We added selinux support to ruby a few years ago to be used with puppet.
15:08  dwalsh | Search the code for matchpathcon, and setfilecon.