Project

General

Profile

Actions

Bug #16513

closed

Foreman app is denied connecting to Puppet Master

Added by Lukas Zapletal about 8 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
General Foreman
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Regression in audit, this happens during/after installation:

type=SYSCALL msg=audit(1472804428.713:506): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=1da4130 a2=10 a3=7ffde886c350 items=0 ppid=19686 pid=20065 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1472804428.713:506): avc:  denied  { name_connect } for  pid=20065 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

I don't know what causes this, Puppet Environment import works fine. Could be wrong ordering in the installer.


Related issues 1 (0 open1 closed)

Has duplicate SELinux - Bug #17711: Passenger can't connect to puppet portDuplicate12/16/2016Actions
Actions #1

Updated by Dominic Cleal about 8 years ago

That's unlikely to be Foreman, all it shows is that the context is passenger_t. It's more likely to be Passenger itself (prestart) when using an old Rack-based master.

Actions #2

Updated by Mirko Schmidt about 8 years ago

Hi Lukas,

As I hit that issue in Katello 3.1/Foreman 1.12.4 and Satellite 6.2.4, too, I wanted to give a hint to anyone else how to resolv this. Even that everything seemed to work as expected but one never knows. I hope that helps.

1.) One way would be to allow Passenger to connect to all ports, but that's not what I wanted. Just enable the following boolean if that's OK for you:

# getsebool passenger_can_connect_all
passenger_can_connect_all --> off

2.) The other way that worked for me was to create a custom selinux module to allow Passenger the connection with tcp/8140.

# cat allow_passenger_puppet_port.te

module allow_passenger_puppet_port 1.0;

require {
        type puppet_port_t;
        type passenger_t;
        class tcp_socket name_connect;
}

#============= passenger_t ==============

#!!!! This avc is allowed in the current policy
allow passenger_t puppet_port_t:tcp_socket name_connect;

Best regards

Actions #3

Updated by Dominic Cleal almost 8 years ago

  • Has duplicate Bug #17711: Passenger can't connect to puppet port added
Actions #4

Updated by Daniel Kimsey almost 8 years ago

I also ran into this issue with my Katello 3.1 installation.

Rather than granting all port access, I used semanage to label the requested port to something passenger could connect to.

semanage port -m -t http_port_t -p tcp 8140
Actions #5

Updated by Lukas Zapletal over 4 years ago

  • Status changed from New to Resolved

Implemented some time ago.

Actions

Also available in: Atom PDF