Project

General

Profile

Bug #11934

Installation fails on RHEL 7.2 beta

Added by Lukas Zapletal about 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Category:
General Foreman
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Description of problem:

Running foreman-installer started to fail on RHEL 7.2 composes.

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-52.el7.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run foreman-installer.

Actual results:

  1. [ERROR 2015-09-23 02:33:51 verbose] /Stage[main]/Foreman_proxy::Register/Foreman_smartproxy[foreman.example.com]: Could not evaluate: Proxy foreman.example.com cannot be registered (Could not load data from https://foreman.example.com# [ INFO 2015-09-23 02:33:51 verbose] - is your server down?
  2. [ INFO 2015-09-23 02:33:51 verbose] - was rake apipie:cache run when using apipie cache? (typical production settings)): N/A
    [...]
  3. Something went wrong! Check the log for ERROR-level output

Expected results:

No error

Additional info:

AVC denials:

avc: denied { getattr } for pid=23191 comm="httpd" path="/etc/puppet/rack/config.ru" dev="dm-0" ino=815544 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

  1. sesearch --allow -s httpd_t -t puppet_etc_t
    Found 2 semantic av rules:
    allow httpd_t file_type : filesystem getattr ;
    allow httpd_t file_type : dir { getattr search open } ;

On selinux-policy-3.13.1-49.el7.noarch where things work, sesearch says

Found 4 semantic av rules:
allow httpd_t file_type : filesystem getattr ;
allow httpd_t file_type : dir { getattr search open } ;
allow httpd_t puppet_etc_t : file { ioctl read getattr lock open } ;
allow httpd_t puppet_etc_t : dir { getattr search open } ;

Associated revisions

Revision caf0b6c3 (diff)
Added by Lukas Zapletal about 5 years ago

Fixes #11934 - docker rules are in optional block now

History

#1 Updated by The Foreman Bot about 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/53 added
  • Pull request deleted ()

#2 Updated by Dominic Cleal about 5 years ago

The foreman-selinux-enable error:

  Installing : foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch                                                  1/1 
libsepol.print_missing_requirements: foreman's global requirements were not met: type/attribute docker_var_run_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
ValueError: Could not commit semanage transaction
ValueError: Type elasticsearch_port_t is invalid, must be a port type
warning: %post(foreman-selinux-1.10.0-0.develop.201509210827gitd3a9081.el7.noarch) scriptlet failed, exit status 1

#3 Updated by Dominic Cleal about 5 years ago

  • Legacy Backlogs Release (now unused) set to 91

#4 Updated by Anonymous about 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF