Project

General

Profile

Actions

Bug #6115

closed

Denials with nightly

Added by Lukas Zapletal almost 10 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Packaging
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Installed, then executed foreman-debug:

type=AVC msg=audit(1402297207.624:80): avc:  denied  { read write } for  pid=9153 comm="initdb" path="/tmp/puppet20140609-8628-dhgi1u-0" dev=vda3 ino=187315 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1402297207.624:80): avc:  denied  { read write } for  pid=9153 comm="initdb" path="/tmp/puppet20140609-8628-dhgi1u-0" dev=vda3 ino=187315 scontext=system_u:system_r:postgresql_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1402297356.641:126): avc:  denied  { execute } for  pid=10047 comm="ruby" name="node.rb" dev=vda3 ino=150194 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1402297356.641:126): avc:  denied  { execute_no_trans } for  pid=10047 comm="ruby" path="/etc/puppet/node.rb" dev=vda3 ino=150194 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1402297496.028:130): avc:  denied  { ioctl } for  pid=13735 comm="ping" path="/root/foreman-debug/ping_localhost" dev=vda3 ino=187728 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402297496.031:131): avc:  denied  { ioctl } for  pid=13737 comm="ping" path="/root/foreman-debug/ping_hostname" dev=vda3 ino=187729 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402297496.035:132): avc:  denied  { ioctl } for  pid=13739 comm="ping" path="/root/foreman-debug/ping_hostname_full" dev=vda3 ino=187730 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402297509.661:153): avc:  denied  { ioctl } for  pid=14358 comm="ping" path="/root/nightly-2014060903051402297507/sos_commands/foreman/foreman-debug/ping_localhost" dev=vda3 ino=188381 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402297509.666:154): avc:  denied  { ioctl } for  pid=14360 comm="ping" path="/root/nightly-2014060903051402297507/sos_commands/foreman/foreman-debug/ping_hostname" dev=vda3 ino=188382 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402297509.669:155): avc:  denied  { ioctl } for  pid=14362 comm="ping" path="/root/nightly-2014060903051402297507/sos_commands/foreman/foreman-debug/ping_hostname_full" dev=vda3 ino=188383 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1402298342.067:182): avc:  denied  { write } for  pid=15386 comm="logrotate" name="logrotate.status" dev=vda3 ino=21866 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

Some of these belong to foreman-debug.

Actions #1

Updated by Lukas Zapletal almost 10 years ago

  • Category set to Packaging

#============= logrotate_t ==============
files_manage_urandom_seed(logrotate_t)

#============= passenger_t ==============
allow passenger_t puppet_etc_t:file { execute execute_no_trans };

#============= ping_t ==============
userdom_read_admin_home_files(ping_t)

#============= postgresql_t ==============
init_rw_inherited_script_tmp_files(postgresql_t)

Actions #2

Updated by Lukas Zapletal almost 4 years ago

  • Status changed from New to Rejected

I am doing a cleanup of old SELinux bug reports. We are removing puppetmaster policy based on passenger_t, most of these bugs were related to that.

Actions

Also available in: Atom PDF