Project

General

Profile

Bug #18409

foreman-proxy does not start in 1.14 with SELinux activated

Added by Yvan Broccard over 4 years ago. Updated over 2 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Smart proxy
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Since upgraded foreman + foreman-proxy from 1.13 to 1.14, the foreman-proxy does not start anymore when SELinux is enabled. It reports an error with DHCP

The foreman-proxy log says :
I, [2017-02-06T16:32:50.931097 ] INFO -- : Successfully initialized 'foreman_proxy'
I, [2017-02-06T16:32:50.931428 ] INFO -- : Successfully initialized 'dns_nsupdate'
I, [2017-02-06T16:32:50.931480 ] INFO -- : Successfully initialized 'dns'
I, [2017-02-06T16:32:50.931520 ] INFO -- : Successfully initialized 'tftp'
E, [2017-02-06T16:32:50.960539 ] ERROR -- : Couldn't enable 'dhcp_isc': ��p$

The SELinux audit log reports that :
audit2allow < /var/log/audit/audit.log

#============= foreman_proxy_t ==============
allow foreman_proxy_t self:process execmem;

#============= logrotate_t ==============
allow logrotate_t systemd_unit_file_t:service stop;

#============= websockify_t ==============
allow websockify_t cert_t:file { getattr open read };

avc.txt avc.txt 17.7 KB Yvan Broccard, 02/08/2017 05:18 AM

Related issues

Related to SELinux - Bug #16273: SELinux Preventing Foreman Proxy From StartingClosed

History

#1 Updated by Yvan Broccard over 4 years ago

This could be found as well in the log :

E, [2017-02-06T16:32:50.960539 ] ERROR -- : Couldn't enable 'dhcp_isc': P<FC><85>p$?
E, [2017-02-06T16:32:50.960710 ] ERROR -- : Error during startup, terminating. Dependency 'leases_observer' is undefined

#2 Updated by Dominic Cleal over 4 years ago

  • Project changed from Foreman to SELinux
  • Category changed from 56 to Smart proxy

If you have a copy of the original AVCs (rather than policy), it'd be appreciated.

#3 Updated by Yvan Broccard over 4 years ago

Here is the AVC errors caught in the audit.log, with 3 lines context around.

Cheers

#4 Updated by Lukas Zapletal over 2 years ago

  • Triaged changed from No to Yes
  • Status changed from New to Duplicate

Dupe of #16273 we are going to fix this now.

#5 Updated by Lukas Zapletal over 2 years ago

  • Related to Bug #16273: SELinux Preventing Foreman Proxy From Starting added

Also available in: Atom PDF