Project

General

Profile

Actions

Bug #17711

closed

Passenger can't connect to puppet port

Added by Jason Nance almost 8 years ago. Updated almost 8 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When starting TFM the following error is seen in /var/log/httpd/error_log:

App 12275 stdout:
/usr/share/passenger/helper-scripts/prespawn:111:in `initialize': Permission denied - connect(2) (Errno::EACCES)
        from /usr/share/passenger/helper-scripts/prespawn:111:in `new'
        from /usr/share/passenger/helper-scripts/prespawn:111:in `connect'
        from /usr/share/passenger/helper-scripts/prespawn:120:in `connect'
        from /usr/share/passenger/helper-scripts/prespawn:87:in `socket'
        from /usr/share/passenger/helper-scripts/prespawn:91:in `head_request'
        from /usr/share/passenger/helper-scripts/prespawn:153:in `<main>'

The following AVC is also printed in /var/log/audit/audit.log:

type=AVC msg=audit(1481902174.381:984): avc:  denied  { name_connect } for  pid=12281 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

This is on EL 7.3 with the following packages:

candlepin-selinux-0.9.54.6-1.el7.noarch
foreman-selinux-1.13.2-1.el7.noarch
katello.ipa.centric.lab-puppet-client-1.0-1.noarch
katello-selinux-3.0.1-1.el7.noarch
libselinux-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-ruby-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
mod_passenger-4.0.53-4.el7.x86_64
passenger-4.0.53-4.el7.x86_64
pulp-puppet-plugins-2.9.3-1.el7.noarch
pulp-puppet-tools-2.9.3-1.el7.noarch
pulp-selinux-2.9.3-1.el7.noarch
puppet-3.8.7-1.el7.noarch
puppetlabs-release-22.0-2.noarch
puppet-server-3.8.7-1.el7.noarch
python-pulp-puppet-common-2.9.3-1.el7.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch
tfm-rubygem-passenger-4.0.18-9.11.el7.x86_64
tfm-rubygem-passenger-native-4.0.18-9.11.el7.x86_64
tfm-rubygem-passenger-native-libs-4.0.18-9.11.el7.x86_64

Setting 'passenger_can_connect_all' on makes this go away as a broad workaround.


Related issues 1 (0 open1 closed)

Is duplicate of SELinux - Bug #16513: Foreman app is denied connecting to Puppet MasterResolvedActions
Actions

Also available in: Atom PDF