Project

General

Profile

Actions
Copy link

Bug #16273

closed

SELinux Preventing Foreman Proxy From Starting

Added by Jason Nance over 8 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Smart proxy
Target version:
Foreman - 1.22.0
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-selinux/pull/88
Fixed in Releases:
Foreman - 1.22.0
Found in Releases:
Foreman - 1.12.2
Red Hat JIRA:

Description

Using the foreman-installer options below on a CentOS 7 system that is FreeIPA-joined results in a system where the foreman-proxy service will not start due to SELinux denials.

The SELinux denial is (/var/log/audit/audit.log):

type=AVC msg=audit(1472060581.857:571): avc:  denied  { execmem } for  pid=6134 comm="ruby" scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:system_r:foreman_proxy_t:s0 tclass=process

If I change SELinux to permissive or create a module using the above AVC and audit2allow the the proxy starts up fine.

foreman-prepare-realm was ran prior to foreman-installer and the keytab copied/chowned/chmoded.

/var/log/foreman-proxy/proxy.log says (with log level set to ERROR):

E, [2016-08-24T11:06:37.947836 #12515] ERROR -- : Error during startup, terminating. ^P|<BC>d<89>^?

The binary bits on the end change every time you attempt to start.

/var/log/foreman-proxy/proxy.log says (with log level set to DEBUG):

D, [2016-08-24T12:39:18.361200 #5987] DEBUG -- : Rack::Handler::WEBrick is mounted on /.
I, [2016-08-24T12:39:18.361334 #5987]  INFO -- : WEBrick::HTTPServer#start: pid=5987 port=9090
I, [2016-08-24T12:40:14.100128 #5987]  INFO -- : going to shutdown ...
I, [2016-08-24T12:40:14.100252 #5987]  INFO -- : WEBrick::HTTPServer#start done.
D, [2016-08-24T12:43:01.274047 #6134] DEBUG -- : 'pulp' settings: 'enabled': https, 'mongodb_dir': /var/lib/mongodb (default), 'pulp_content_dir': /var/lib/pulp/content (default), 'pulp_dir': /var/lib/pulp (default), 'pulp_url': https://katello.tresgeek.org/pulp
D, [2016-08-24T12:43:01.275746 #6134] DEBUG -- : 'openscap' settings: 'contentdir': /var/lib/foreman-proxy/openscap/content, 'enabled': https, 'failed_dir': /var/lib/foreman-proxy/openscap/failed, 'openscap_send_log_file': /var/log/foreman-proxy/openscap-send.log, 'reportsdir': /var/lib/foreman-proxy/openscap/reports, 'spooldir': /var/spool/foreman-proxy/openscap (default)
D, [2016-08-24T12:43:01.277179 #6134] DEBUG -- : 'dynflow' settings: 'console_auth': true (default), 'database': /var/lib/foreman-proxy/dynflow/dynflow.sqlite (default), 'enabled': https
D, [2016-08-24T12:43:01.278562 #6134] DEBUG -- : 'ssh' settings: 'enabled': https, 'local_working_dir': /var/tmp (default), 'remote_working_dir': /var/tmp (default), 'ssh_identity_key_file': /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy, 'ssh_user': root (default)
D, [2016-08-24T12:43:01.281213 #6134] DEBUG -- : 'templates' settings: 'enabled': true, 'template_url': http://katello.tresgeek.org:8000
D, [2016-08-24T12:43:01.282487 #6134] DEBUG -- : 'tftp' settings: 'enabled': https, 'tftproot': /var/lib/tftpboot (default)
D, [2016-08-24T12:43:01.293820 #6134] DEBUG -- : 'puppetca' settings: 'enabled': https, 'puppetdir': /etc/puppet (default), 'ssldir': /var/lib/puppet/ssl (default)
D, [2016-08-24T12:43:01.296520 #6134] DEBUG -- : 'puppet' settings: 'enabled': https, 'puppet_version': 3.8.7, 'use_provider': [:puppet_proxy_legacy]
D, [2016-08-24T12:43:01.318469 #6134] DEBUG -- : 'bmc' settings: 'bmc_default_provider': ipmitool, 'enabled': https
D, [2016-08-24T12:43:01.319993 #6134] DEBUG -- : 'realm' settings: 'enabled': https, 'freeipa_remove_dns': true, 'realm_keytab': /etc/foreman-proxy/freeipa.keytab, 'realm_principal': realm-proxy@TRESGEEK.ORG, 'realm_provider': freeipa (default)
D, [2016-08-24T12:43:01.321260 #6134] DEBUG -- : 'logs' settings: 'enabled': https
D, [2016-08-24T12:43:01.321559 #6134] DEBUG -- : Providers ['puppet_proxy_legacy'] are going to be configured for 'puppet'
D, [2016-08-24T12:43:01.757328 #6134] DEBUG -- : 'puppet_proxy_legacy' settings: 'classes_retriever': cached_legacy_parser, 'environments_retriever': api_v2, 'puppet_conf': /etc/puppet/puppet.conf (default), 'puppet_ssl_ca': /var/lib/puppet/ssl/certs/ca.pem (default), 'puppet_ssl_cert': /var/lib/puppet/ssl/certs/katello.tresgeek.org.pem, 'puppet_ssl_key': /var/lib/puppet/ssl/private_keys/katello.tresgeek.org.pem, 'puppet_url': https://katello.tresgeek.org:8140, 'puppet_version': 3.8.7, 'use_cache': true (default), 'use_provider': [:puppet_proxy_legacy]
I, [2016-08-24T12:43:01.758541 #6134]  INFO -- : Successfully initialized 'pulp'
I, [2016-08-24T12:43:01.758594 #6134]  INFO -- : Successfully initialized 'openscap'
I, [2016-08-24T12:43:01.758633 #6134]  INFO -- : Successfully initialized 'dynflow'
I, [2016-08-24T12:43:01.818792 #6134]  INFO -- : Successfully initialized 'ssh'
I, [2016-08-24T12:43:01.818913 #6134]  INFO -- : Successfully initialized 'foreman_proxy'
I, [2016-08-24T12:43:01.818959 #6134]  INFO -- : Successfully initialized 'templates'
I, [2016-08-24T12:43:01.818999 #6134]  INFO -- : Successfully initialized 'tftp'
I, [2016-08-24T12:43:01.819036 #6134]  INFO -- : Successfully initialized 'puppetca'
I, [2016-08-24T12:43:01.840307 #6134]  INFO -- : Successfully initialized 'puppet_proxy_legacy'
I, [2016-08-24T12:43:01.840429 #6134]  INFO -- : Successfully initialized 'puppet'
I, [2016-08-24T12:43:01.840474 #6134]  INFO -- : Successfully initialized 'bmc'
I, [2016-08-24T12:43:01.840512 #6134]  INFO -- : Successfully initialized 'realm'
D, [2016-08-24T12:43:01.840560 #6134] DEBUG -- : Log buffer API initialized, available capacity: 2000/1000
I, [2016-08-24T12:43:01.840594 #6134]  INFO -- : Successfully initialized 'logs'
E, [2016-08-24T12:43:01.859422 #6134] ERROR -- : Error during startup, terminating. ^P<AC>H<\^?
D, [2016-08-24T12:43:01.859505 #6134] DEBUG -- : ["/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/gems/gems/ffi-1.9.10/lib/ffi/library.rb:263:in `attach_function'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:37:in `<module:OpenSCAP>'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/openscap.rb:14:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/source.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/openscap-0.4.3/lib/openscap/ds/sds.rb:12:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_content_parser.rb:1:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_lib.rb:19:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/gems/gems/smart_proxy_openscap-0.5.4/lib/smart_proxy_openscap/openscap_api.rb:10:in `<top (required)>'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'", "(eval):11:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `instance_eval'", "/usr/share/foreman-proxy/lib/launcher.rb:42:in `block (2 levels) in https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `each'", "/usr/share/foreman-proxy/lib/launcher.rb:41:in `block in https_app'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `instance_eval'", "/usr/share/gems/gems/rack-1.6.4/lib/rack/builder.rb:55:in `initialize'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `new'", "/usr/share/foreman-proxy/lib/launcher.rb:40:in `https_app'", "/usr/share/foreman-proxy/lib/launcher.rb:125:in `launch'", "/usr/share/foreman-proxy/bin/smart-proxy:6:in `<main>'"]

foreman-installer \
  --scenario katello \
  --enable-foreman-plugin-bootdisk \
  --enable-foreman-plugin-default-hostgroup \
  --enable-foreman-plugin-discovery \
  --enable-foreman-plugin-hooks \
  --enable-foreman-plugin-openscap \
  --enable-foreman-plugin-puppetdb \
  --enable-foreman-plugin-remote-execution \
  --enable-foreman-plugin-setup \
  --enable-foreman-plugin-templates \
  --enable-foreman-proxy-plugin-openscap \
  --enable-foreman-proxy-plugin-remote-execution-ssh \
  --foreman-ipa-authentication true \
  --foreman-ipa-manage-sssd true \
  --foreman-puppetrun true \
  --foreman-plugin-discovery-install-images true \
  --foreman-plugin-openscap-configure-openscap-repo true \
  --foreman-proxy-bmc true \
  --foreman-proxy-logs true \
  --foreman-proxy-realm true \
  --foreman-proxy-realm-principal realm-proxy@DOMAIN.COM \
  --foreman-proxy-templates true \
  --foreman-proxy-tftp true

Related issues 2 (0 open2 closed)

Related to SELinux - Bug #18409: foreman-proxy does not start in 1.14 with SELinux activatedDuplicateActions
Related to SELinux - Feature #26520: Allow execmem for passenger due to Ruby FFIClosedLukas ZapletalActions
Actions
Copy link

Also available in: Atom PDF