Actions
Bug #17711
closed
Passenger can't connect to puppet port
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Description
When starting TFM the following error is seen in /var/log/httpd/error_log:
App 12275 stdout:
/usr/share/passenger/helper-scripts/prespawn:111:in `initialize': Permission denied - connect(2) (Errno::EACCES)
from /usr/share/passenger/helper-scripts/prespawn:111:in `new'
from /usr/share/passenger/helper-scripts/prespawn:111:in `connect'
from /usr/share/passenger/helper-scripts/prespawn:120:in `connect'
from /usr/share/passenger/helper-scripts/prespawn:87:in `socket'
from /usr/share/passenger/helper-scripts/prespawn:91:in `head_request'
from /usr/share/passenger/helper-scripts/prespawn:153:in `<main>'
The following AVC is also printed in /var/log/audit/audit.log:
type=AVC msg=audit(1481902174.381:984): avc: denied { name_connect } for pid=12281 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
This is on EL 7.3 with the following packages:
candlepin-selinux-0.9.54.6-1.el7.noarch foreman-selinux-1.13.2-1.el7.noarch katello.ipa.centric.lab-puppet-client-1.0-1.noarch katello-selinux-3.0.1-1.el7.noarch libselinux-2.5-6.el7.x86_64 libselinux-python-2.5-6.el7.x86_64 libselinux-ruby-2.5-6.el7.x86_64 libselinux-utils-2.5-6.el7.x86_64 mod_passenger-4.0.53-4.el7.x86_64 passenger-4.0.53-4.el7.x86_64 pulp-puppet-plugins-2.9.3-1.el7.noarch pulp-puppet-tools-2.9.3-1.el7.noarch pulp-selinux-2.9.3-1.el7.noarch puppet-3.8.7-1.el7.noarch puppetlabs-release-22.0-2.noarch puppet-server-3.8.7-1.el7.noarch python-pulp-puppet-common-2.9.3-1.el7.noarch selinux-policy-3.13.1-102.el7_3.7.noarch selinux-policy-targeted-3.13.1-102.el7_3.7.noarch tfm-rubygem-passenger-4.0.18-9.11.el7.x86_64 tfm-rubygem-passenger-native-4.0.18-9.11.el7.x86_64 tfm-rubygem-passenger-native-libs-4.0.18-9.11.el7.x86_64
Setting 'passenger_can_connect_all' on makes this go away as a broad workaround.
Updated by
Actions