Project

General

Profile

Bug #16273

SELinux Preventing Foreman Proxy From Starting

Added by Jason Nance almost 3 years ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Category:
Smart proxy
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Using the foreman-installer options below on a CentOS 7 system that is FreeIPA-joined results in a system where the foreman-proxy service will not start due to SELinux denials.

The SELinux denial is (/var/log/audit/audit.log):

type=AVC msg=audit(1472060581.857:571): avc:  denied  { execmem } for  pid=6134 comm="ruby" scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:system_r:foreman_proxy_t:s0 tclass=process

If I change SELinux to permissive or create a module using the above AVC and audit2allow the the proxy starts up fine.

foreman-prepare-realm was ran prior to foreman-installer and the keytab copied/chowned/chmoded.

/var/log/foreman-proxy/proxy.log says (with log level set to ERROR):

E, [2016-08-24T11:06:37.947836 #12515] ERROR -- : Error during startup, terminating. ^P|<BC>d<89>^?

The binary bits on the end change every time you attempt to start.

/var/log/foreman-proxy/proxy.log says (with log level set to DEBUG):

D, [2016-08-24T12:39:18.361200 #5987] DEBUG -- : Rack::Handler::WEBrick is mounted on /.
I, [2016-08-24T12:39:18.361334 #5987]  INFO -- : WEBrick::HTTPServer#start: pid=5987 port=9090
I, [2016-08-24T12:40:14.100128 #5987]  INFO -- : going to shutdown ...
I, [2016-08-24T12:40:14.100252 #5987]  INFO -- : WEBrick::HTTPServer#start done.
D, [2016-08-24T12:43:01.274047 #6134] DEBUG -- : 'pulp' settings: 'enabled': https, 'mongodb_dir': /var/lib/mongodb (default), 'pulp_content_dir': /var/lib/pulp/content (default), 'pulp_dir': /var/lib/pulp (default), 'pulp_url': https://katello.tresgeek.org/pulp
D, [2016-08-24T12:43:01.275746 #6134] DEBUG -- : 'openscap' settings: 'contentdir': /var/lib/foreman-proxy/openscap/content, 'enabled': https, 'failed_dir': /var/lib/foreman-proxy/openscap/failed, 'openscap_send_log_file': /var/log/foreman-proxy/openscap-send.log, 'reportsdir': /var/lib/foreman-proxy/openscap/reports, 'spooldir': /var/spool/foreman-proxy/openscap (default)
D, [2016-08-24T12:43:01.277179 #6134] DEBUG -- : 'dynflow' settings: 'console_auth': true (default), 'database': /var/lib/foreman-proxy/dynflow/dynflow.sqlite (default), 'enabled': https
D, [2016-08-24T12:43:01.278562 #6134] DEBUG -- : 'ssh' settings: 'enabled': https, 'local_working_dir': /var/tmp (default), 'remote_working_dir': /var/tmp (default), 'ssh_identity_key_file': /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy, 'ssh_user': root (default)
D, [2016-08-24T12:43:01.281213 #6134] DEBUG -- : 'templates' settings: 'enabled': true, 'template_url': http://katello.tresgeek.org:8000
D, [2016-08-24T12:43:01.282487 #6134] DEBUG -- : 'tftp' settings: 'enabled': https, 'tftproot': /var/lib/tftpboot (default)
D, [2016-08-24T12:43:01.293820 #6134] DEBUG -- : 'puppetca' settings: 'enabled': https, 'puppetdir': /etc/puppet (default), 'ssldir': /var/lib/puppet/ssl (default)
D, [2016-08-24T12:43:01.296520 #6134] DEBUG -- : 'puppet' settings: 'enabled': https, 'puppet_version': 3.8.7, 'use_provider': [:puppet_proxy_legacy]
D, [2016-08-24T12:43:01.318469 #6134] DEBUG -- : 'bmc' settings: 'bmc_default_provider': ipmitool, 'enabled': https
D, [2016-08-24T12:43:01.319993 #6134] DEBUG -- : 'realm' settings: 'enabled': https, 'freeipa_remove_dns': true, 'realm_keytab': /etc/foreman-proxy/freeipa.keytab, 'realm_principal': realm-proxy@TRESGEEK.ORG, 'realm_provider': freeipa (default)
D, [2016-08-24T12:43:01.321260 #6134] DEBUG -- : 'logs' settings: 'enabled': https
D, [2016-08-24T12:43:01.321559 #6134] DEBUG -- : Providers ['puppet_proxy_legacy'] are going to be configured for 'puppet'
D, [2016-08-24T12:43:01.757328 #6134] DEBUG -- : 'puppet_proxy_legacy' settings: 'classes_retriever': cached_legacy_parser, 'environments_retriever': api_v2, 'puppet_conf': /etc/puppet/puppet.conf (default), 'puppet_ssl_ca': /var/lib/puppet/ssl/certs/ca.pem (default), 'puppet_ssl_cert': /var/lib/puppet/ssl/certs/katello.tresgeek.org.pem, 'puppet_ssl_key': /var/lib/puppet/ssl/private_keys/katello.tresgeek.org.pem, 'puppet_url': https://katello.tresgeek.org:8140, 'puppet_version': 3.8.7, 'use_cache': true (default), 'use_provider': [:puppet_proxy_legacy]
I, [2016-08-24T12:43:01.758541 #6134]  INFO -- : Successfully initialized 'pulp'
I, [2016-08-24T12:43:01.758594 #6134]  INFO -- : Successfully initialized 'openscap'
I, [2016-08-24T12:43:01.758633 #6134]  INFO -- : Successfully initialized 'dynflow'
I, [2016-08-24T12:43:01.818792 #6134]  INFO -- : Successfully initialized 'ssh'
I, [2016-08-24T12:43:01.818913 #6134]  INFO -- : Successfully initialized 'foreman_proxy'
I, [2016-08-24T12:43:01.818959 #6134]  INFO -- : Successfully initialized 'templates'
I, [2016-08-24T12:43:01.818999 #6134]  INFO -- : Successfully initialized 'tftp'
I, [2016-08-24T12:43:01.819036 #6134]  INFO -- : Successfully initialized 'puppetca'
I, [2016-08-24T12:43:01.840307 #6134]  INFO -- : Successfully initialized 'puppet_proxy_legacy'
I, [2016-08-24T12:43:01.840429 #6134]  INFO -- : Successfully initialized 'puppet'
I, [2016-08-24T12:43:01.840474 #6134]  INFO -- : Successfully initialized 'bmc'
I, [2016-08-24T12:43:01.840512 #6134]  INFO -- : Successfully initialized 'realm'
D, [2016-08-24T12:43:01.840560 #6134] DEBUG -- : Log buffer API initialized, available capacity: 2000/1000
I, [2016-08-24T12:43:01.840594 #6134]  INFO -- : Successfully initialized 'logs'
E, [2016-08-24T12:43:01.859422 #6134] ERROR -- : Error during startup, terminating. ^P<AC>H<\^?
D, [2016-08-24T12:43:01.859505 #6134] DEBUG -- : ["/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/gems/gems/ffi-1.9.10/lib/ffi/library.rb:263:in `attach_function'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:37:in `<module:OpenSCAP>'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:14:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/source.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/ds/sds.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_content_parser.rb:1:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_lib.rb:19:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_api.rb:10:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "(eval):11:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `each'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `block in https_app'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `instance_eval'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `initialize'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `new'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:125:in `launch'", "/usr/share/foreman-proxy/bin/smart-proxy:6:in `<main>'"]
foreman-installer \
  --scenario katello \
  --enable-foreman-plugin-bootdisk \
  --enable-foreman-plugin-default-hostgroup \
  --enable-foreman-plugin-discovery \
  --enable-foreman-plugin-hooks \
  --enable-foreman-plugin-openscap \
  --enable-foreman-plugin-puppetdb \
  --enable-foreman-plugin-remote-execution \
  --enable-foreman-plugin-setup \
  --enable-foreman-plugin-templates \
  --enable-foreman-proxy-plugin-openscap \
  --enable-foreman-proxy-plugin-remote-execution-ssh \
  --foreman-ipa-authentication true \
  --foreman-ipa-manage-sssd true \
  --foreman-puppetrun true \
  --foreman-plugin-discovery-install-images true \
  --foreman-plugin-openscap-configure-openscap-repo true \
  --foreman-proxy-bmc true \
  --foreman-proxy-logs true \
  --foreman-proxy-realm true \
  --foreman-proxy-realm-principal realm-proxy@DOMAIN.COM \
  --foreman-proxy-templates true \
  --foreman-proxy-tftp true

Related issues

Related to SELinux - Bug #18409: foreman-proxy does not start in 1.14 with SELinux activatedDuplicate
Related to SELinux - Feature #26520: Allow execmem for passenger due to Ruby FFIClosed

Associated revisions

Revision 390a5680 (diff)
Added by Lukas Zapletal 5 months ago

Fixes #16273 - allow execmem

History

#1 Updated by Jason Nance almost 3 years ago

FYI, I did run through the "SELinux denials" section on the Foreman troubleshooting page (without my custom module loaded) including a full relabel of the system.

Results of foreman-debug are at http://debugs.theforeman.org/foreman-debug-1D7Ku.tar.xz.

#2 Updated by Dominic Cleal almost 3 years ago

  • Project changed from Foreman to SELinux
  • Category set to Smart proxy

#3 Updated by Lukas Zapletal almost 3 years ago

Thanks for the report. For the record, the missing rules are:

#============= foreman_proxy_t ==============
allow foreman_proxy_t autofs_t:dir { getattr search };
allow foreman_proxy_t cgroup_t:dir getattr;
allow foreman_proxy_t cgroup_t:filesystem getattr;
allow foreman_proxy_t configfs_t:dir getattr;
allow foreman_proxy_t configfs_t:filesystem getattr;
allow foreman_proxy_t device_t:filesystem getattr;
allow foreman_proxy_t dosfs_t:dir getattr;
allow foreman_proxy_t dosfs_t:filesystem getattr;
allow foreman_proxy_t efivarfs_t:dir getattr;
allow foreman_proxy_t efivarfs_t:filesystem getattr;
allow foreman_proxy_t fs_t:filesystem getattr;
allow foreman_proxy_t httpd_sys_rw_content_t:dir { getattr search };
allow foreman_proxy_t hugetlbfs_t:dir getattr;
allow foreman_proxy_t hugetlbfs_t:filesystem getattr;
allow foreman_proxy_t mongod_var_lib_t:dir getattr;
allow foreman_proxy_t nfsd_fs_t:dir getattr;
allow foreman_proxy_t nfsd_fs_t:filesystem getattr;
allow foreman_proxy_t postfix_etc_t:dir search;
allow foreman_proxy_t pstore_t:dir getattr;
allow foreman_proxy_t pstore_t:filesystem getattr;
allow foreman_proxy_t self:capability fowner;
allow foreman_proxy_t self:key { write setattr };
allow foreman_proxy_t self:process execmem;
allow foreman_proxy_t sssd_var_lib_t:dir search;
allow foreman_proxy_t sysctl_fs_t:dir search;
allow foreman_proxy_t tmpfs_t:filesystem getattr;
allow foreman_proxy_t var_lib_nfs_t:dir search;

Looks like OpenSCAP plugin's FFI dependency has problems, also something is sniffing around the filesystem, might be also the new inotify capability. We have couple of regressions as SELinux for proxy is turned off by default.

I will fix the bugs and suggest turning it on by default now.

#4 Updated by Lukas Zapletal 5 months ago

For the record, FFI is SELinux unfriendly, turns out most FFI applications won't start due to execmem.

#5 Updated by Lukas Zapletal 5 months ago

  • Related to Bug #18409: foreman-proxy does not start in 1.14 with SELinux activated added

#6 Updated by Lukas Zapletal 5 months ago

  • Related to Feature #26520: Allow execmem for passenger due to Ruby FFI added

#7 Updated by The Foreman Bot 5 months ago

  • Assignee set to Lukas Zapletal
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/88 added

#8 Updated by Tomer Brisker 5 months ago

  • Target version set to 1.22.0

#9 Updated by Anonymous 5 months ago

  • Status changed from Ready For Testing to Closed

#10 Updated by Tomer Brisker 4 months ago

  • Fixed in Releases 1.22.0 added

Also available in: Atom PDF