Actions
Bug #16273
closed
SELinux Preventing Foreman Proxy From Starting
Status:
Closed
Priority:
Normal
Assignee:
Category:
Smart proxy
Target version:
Difficulty:
Triaged:
No
Description
Using the foreman-installer options below on a CentOS 7 system that is FreeIPA-joined results in a system where the foreman-proxy service will not start due to SELinux denials.
The SELinux denial is (/var/log/audit/audit.log):
type=AVC msg=audit(1472060581.857:571): avc: denied { execmem } for pid=6134 comm="ruby" scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:system_r:foreman_proxy_t:s0 tclass=process
If I change SELinux to permissive or create a module using the above AVC and audit2allow the the proxy starts up fine.
foreman-prepare-realm was ran prior to foreman-installer and the keytab copied/chowned/chmoded.
/var/log/foreman-proxy/proxy.log says (with log level set to ERROR):
E, [2016-08-24T11:06:37.947836 #12515] ERROR -- : Error during startup, terminating. ^P|<BC>d<89>^?
The binary bits on the end change every time you attempt to start.
/var/log/foreman-proxy/proxy.log says (with log level set to DEBUG):
D, [2016-08-24T12:39:18.361200 #5987] DEBUG -- : Rack::Handler::WEBrick is mounted on /. I, [2016-08-24T12:39:18.361334 #5987] INFO -- : WEBrick::HTTPServer#start: pid=5987 port=9090 I, [2016-08-24T12:40:14.100128 #5987] INFO -- : going to shutdown ... I, [2016-08-24T12:40:14.100252 #5987] INFO -- : WEBrick::HTTPServer#start done. D, [2016-08-24T12:43:01.274047 #6134] DEBUG -- : 'pulp' settings: 'enabled': https, 'mongodb_dir': /var/lib/mongodb (default), 'pulp_content_dir': /var/lib/pulp/content (default), 'pulp_dir': /var/lib/pulp (default), 'pulp_url': https://katello.tresgeek.org/pulp D, [2016-08-24T12:43:01.275746 #6134] DEBUG -- : 'openscap' settings: 'contentdir': /var/lib/foreman-proxy/openscap/content, 'enabled': https, 'failed_dir': /var/lib/foreman-proxy/openscap/failed, 'openscap_send_log_file': /var/log/foreman-proxy/openscap-send.log, 'reportsdir': /var/lib/foreman-proxy/openscap/reports, 'spooldir': /var/spool/foreman-proxy/openscap (default) D, [2016-08-24T12:43:01.277179 #6134] DEBUG -- : 'dynflow' settings: 'console_auth': true (default), 'database': /var/lib/foreman-proxy/dynflow/dynflow.sqlite (default), 'enabled': https D, [2016-08-24T12:43:01.278562 #6134] DEBUG -- : 'ssh' settings: 'enabled': https, 'local_working_dir': /var/tmp (default), 'remote_working_dir': /var/tmp (default), 'ssh_identity_key_file': /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy, 'ssh_user': root (default) D, [2016-08-24T12:43:01.281213 #6134] DEBUG -- : 'templates' settings: 'enabled': true, 'template_url': http://katello.tresgeek.org:8000 D, [2016-08-24T12:43:01.282487 #6134] DEBUG -- : 'tftp' settings: 'enabled': https, 'tftproot': /var/lib/tftpboot (default) D, [2016-08-24T12:43:01.293820 #6134] DEBUG -- : 'puppetca' settings: 'enabled': https, 'puppetdir': /etc/puppet (default), 'ssldir': /var/lib/puppet/ssl (default) D, [2016-08-24T12:43:01.296520 #6134] DEBUG -- : 'puppet' settings: 'enabled': https, 'puppet_version': 3.8.7, 'use_provider': [:puppet_proxy_legacy] D, [2016-08-24T12:43:01.318469 #6134] DEBUG -- : 'bmc' settings: 'bmc_default_provider': ipmitool, 'enabled': https D, [2016-08-24T12:43:01.319993 #6134] DEBUG -- : 'realm' settings: 'enabled': https, 'freeipa_remove_dns': true, 'realm_keytab': /etc/foreman-proxy/freeipa.keytab, 'realm_principal': realm-proxy@TRESGEEK.ORG, 'realm_provider': freeipa (default) D, [2016-08-24T12:43:01.321260 #6134] DEBUG -- : 'logs' settings: 'enabled': https D, [2016-08-24T12:43:01.321559 #6134] DEBUG -- : Providers ['puppet_proxy_legacy'] are going to be configured for 'puppet' D, [2016-08-24T12:43:01.757328 #6134] DEBUG -- : 'puppet_proxy_legacy' settings: 'classes_retriever': cached_legacy_parser, 'environments_retriever': api_v2, 'puppet_conf': /etc/puppet/puppet.conf (default), 'puppet_ssl_ca': /var/lib/puppet/ssl/certs/ca.pem (default), 'puppet_ssl_cert': /var/lib/puppet/ssl/certs/katello.tresgeek.org.pem, 'puppet_ssl_key': /var/lib/puppet/ssl/private_keys/katello.tresgeek.org.pem, 'puppet_url': https://katello.tresgeek.org:8140, 'puppet_version': 3.8.7, 'use_cache': true (default), 'use_provider': [:puppet_proxy_legacy] I, [2016-08-24T12:43:01.758541 #6134] INFO -- : Successfully initialized 'pulp' I, [2016-08-24T12:43:01.758594 #6134] INFO -- : Successfully initialized 'openscap' I, [2016-08-24T12:43:01.758633 #6134] INFO -- : Successfully initialized 'dynflow' I, [2016-08-24T12:43:01.818792 #6134] INFO -- : Successfully initialized 'ssh' I, [2016-08-24T12:43:01.818913 #6134] INFO -- : Successfully initialized 'foreman_proxy' I, [2016-08-24T12:43:01.818959 #6134] INFO -- : Successfully initialized 'templates' I, [2016-08-24T12:43:01.818999 #6134] INFO -- : Successfully initialized 'tftp' I, [2016-08-24T12:43:01.819036 #6134] INFO -- : Successfully initialized 'puppetca' I, [2016-08-24T12:43:01.840307 #6134] INFO -- : Successfully initialized 'puppet_proxy_legacy' I, [2016-08-24T12:43:01.840429 #6134] INFO -- : Successfully initialized 'puppet' I, [2016-08-24T12:43:01.840474 #6134] INFO -- : Successfully initialized 'bmc' I, [2016-08-24T12:43:01.840512 #6134] INFO -- : Successfully initialized 'realm' D, [2016-08-24T12:43:01.840560 #6134] DEBUG -- : Log buffer API initialized, available capacity: 2000/1000 I, [2016-08-24T12:43:01.840594 #6134] INFO -- : Successfully initialized 'logs' E, [2016-08-24T12:43:01.859422 #6134] ERROR -- : Error during startup, terminating. ^P<AC>H<\^? D, [2016-08-24T12:43:01.859505 #6134] DEBUG -- : ["/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/gems/gems/ffi-1.9.10/lib/ffi/library.rb:263:in `attach_function'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:37:in `<module:OpenSCAP>'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:14:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/source.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/ds/sds.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_content_parser.rb:1:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_lib.rb:19:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_api.rb:10:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "(eval):11:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `each'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `block in https_app'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `instance_eval'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `initialize'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `new'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:125:in `launch'", "/usr/share/foreman-proxy/bin/smart-proxy:6:in `<main>'"]
foreman-installer \ --scenario katello \ --enable-foreman-plugin-bootdisk \ --enable-foreman-plugin-default-hostgroup \ --enable-foreman-plugin-discovery \ --enable-foreman-plugin-hooks \ --enable-foreman-plugin-openscap \ --enable-foreman-plugin-puppetdb \ --enable-foreman-plugin-remote-execution \ --enable-foreman-plugin-setup \ --enable-foreman-plugin-templates \ --enable-foreman-proxy-plugin-openscap \ --enable-foreman-proxy-plugin-remote-execution-ssh \ --foreman-ipa-authentication true \ --foreman-ipa-manage-sssd true \ --foreman-puppetrun true \ --foreman-plugin-discovery-install-images true \ --foreman-plugin-openscap-configure-openscap-repo true \ --foreman-proxy-bmc true \ --foreman-proxy-logs true \ --foreman-proxy-realm true \ --foreman-proxy-realm-principal realm-proxy@DOMAIN.COM \ --foreman-proxy-templates true \ --foreman-proxy-tftp true
Updated by Jason Nance over 8 years ago
FYI, I did run through the "SELinux denials" section on the Foreman troubleshooting page (without my custom module loaded) including a full relabel of the system.
Results of foreman-debug are at http://debugs.theforeman.org/foreman-debug-1D7Ku.tar.xz.
Updated by Dominic Cleal over 8 years ago
- Project changed from Foreman to SELinux
- Category set to Smart proxy
Updated by Lukas Zapletal over 8 years ago
Thanks for the report. For the record, the missing rules are:
#============= foreman_proxy_t ==============
allow foreman_proxy_t autofs_t:dir { getattr search };
allow foreman_proxy_t cgroup_t:dir getattr;
allow foreman_proxy_t cgroup_t:filesystem getattr;
allow foreman_proxy_t configfs_t:dir getattr;
allow foreman_proxy_t configfs_t:filesystem getattr;
allow foreman_proxy_t device_t:filesystem getattr;
allow foreman_proxy_t dosfs_t:dir getattr;
allow foreman_proxy_t dosfs_t:filesystem getattr;
allow foreman_proxy_t efivarfs_t:dir getattr;
allow foreman_proxy_t efivarfs_t:filesystem getattr;
allow foreman_proxy_t fs_t:filesystem getattr;
allow foreman_proxy_t httpd_sys_rw_content_t:dir { getattr search };
allow foreman_proxy_t hugetlbfs_t:dir getattr;
allow foreman_proxy_t hugetlbfs_t:filesystem getattr;
allow foreman_proxy_t mongod_var_lib_t:dir getattr;
allow foreman_proxy_t nfsd_fs_t:dir getattr;
allow foreman_proxy_t nfsd_fs_t:filesystem getattr;
allow foreman_proxy_t postfix_etc_t:dir search;
allow foreman_proxy_t pstore_t:dir getattr;
allow foreman_proxy_t pstore_t:filesystem getattr;
allow foreman_proxy_t self:capability fowner;
allow foreman_proxy_t self:key { write setattr };
allow foreman_proxy_t self:process execmem;
allow foreman_proxy_t sssd_var_lib_t:dir search;
allow foreman_proxy_t sysctl_fs_t:dir search;
allow foreman_proxy_t tmpfs_t:filesystem getattr;
allow foreman_proxy_t var_lib_nfs_t:dir search;
Looks like OpenSCAP plugin's FFI dependency has problems, also something is sniffing around the filesystem, might be also the new inotify capability. We have couple of regressions as SELinux for proxy is turned off by default.
I will fix the bugs and suggest turning it on by default now.
Updated by Lukas Zapletal over 5 years ago
For the record, FFI is SELinux unfriendly, turns out most FFI applications won't start due to execmem.
Updated by Lukas Zapletal over 5 years ago
- Related to Bug #18409: foreman-proxy does not start in 1.14 with SELinux activated added
Updated by Lukas Zapletal over 5 years ago
- Related to Feature #26520: Allow execmem for passenger due to Ruby FFI added
Updated by The Foreman Bot over 5 years ago
- Status changed from New to Ready For Testing
- Assignee set to Lukas Zapletal
- Pull request https://github.com/theforeman/foreman-selinux/pull/88 added
Updated by
Updated by Anonymous over 5 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 390a56806d400b69249af775943787c8741ddcce.
Actions