Project

General

Profile

Actions

Support #24616

closed

Passenger does not transition into passenger_t domain

Added by Alex Kinneer about 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Triaged:
No
Fixed in Releases:

Description

Steps:
1. Minimal install of CentOs 7.4, with SELinux enabled
2.

sudo yum -y install https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm

3.
sudo yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

4.
sudo yum -y install https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm

5.
sudo yum -y install foreman-installer

6. Place foreman-answers.yaml file -- foreman-selinux param is left as default (undef), database parameters are configured to point to an external host with postgresql already installed and running.
7.
foreman-installer

Among the output will be the following, but the installer does not fail and reports everything is ready upon completion:
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
foreman: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
OSError: No such file or directory
ValueError: Type foreman_container_port_t is invalid, must be a port type

8. Attempt to connect to web UI, receive the following error dump:
could not connect to server: Permission denied
    Is the server running on host "<HOST>" (<IP>) and accepting
    TCP/IP connections on port 5432?
 (PG::ConnectionBad)
  /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize'
  /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `new'
  /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `connect'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:697:in `connect'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:221:in `initialize'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `new'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `postgresql_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:759:in `new_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:803:in `checkout_new_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:782:in `try_to_checkout_new_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:743:in `acquire_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:500:in `checkout'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:374:in `connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:931:in `retrieve_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:116:in `retrieve_connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:88:in `connection'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:20:in `table_exists?'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:24:in `create_table'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/migration.rb:1125:in `initialize'
  /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `new'
  /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `pending_migrations'
  /usr/share/foreman/app/registries/foreman/plugin.rb:265:in `permission'
  /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:50:in `block (3 levels) in <class:Engine>'
  /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `instance_eval'
  /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `security_block'
  /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:49:in `block (2 levels) in <class:Engine>'
  /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `instance_eval'
  /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `register'
  /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:45:in `block in <class:Engine>'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `instance_exec'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `run'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:59:in `block in run_initializers'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:228:in `block in tsort_each'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `call'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:226:in `tsort_each'
  /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:205:in `tsort_each'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:58:in `run_initializers'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/application.rb:353:in `initialize!'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `public_send'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `method_missing'
  /usr/share/foreman/config/environment.rb:5:in `<top (required)>'
  /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
  /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require'
  config.ru:5:in `block in <main>'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `instance_eval'
  /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `initialize'
  config.ru:1:in `new'
  config.ru:1:in `<main>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'

9. Install postgresql client and test same connection parameters manually: database connect is successful.

Workaround:
1. setenforce 0
2. Reload web UI page -- now loads successfully.

audit.log shows numerous errors, of the following three types:

type=AVC msg=audit(1534268634.110:304): avc:  denied  { name_connect } for  pid=1848 comm="ruby" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1534268634.110:304): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7620c90 a2=10 a3=7ffd64da5198 items=0 ppid=1847 pid=1848 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby24/root/usr/bin/ruby" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1534268634.110:304): proctitle=72756279002F7573722F73686172652F70617373656E6765722F68656C7065722D736372697074732F7261636B2D7072656C6F616465722E7262
type=AVC msg=audit(1534268634.245:305): avc:  denied  { fowner } for  pid=1858 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
type=SYSCALL msg=audit(1534268634.245:305): arch=c000003e syscall=268 success=no exit=-1 a0=ffffffffffffff9c a1=1309120 a2=1c0 a3=7ffeca864ba0 items=0 ppid=903 pid=1858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1534268634.348:315): avc:  denied  { block_suspend } for  pid=903 comm="PassengerHelper" capability=36  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=SYSCALL msg=audit(1534268634.348:315): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=500000014 a3=12dc440 items=0 ppid=899 pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/libexec/passenger/PassengerHelperAgent" subj=system_u:system_r:httpd_t:s0 key=(null)

I believe this is a recent regression, as it was working as recently as last Friday with 1.17 (a current install of 1.17 following exact same previously successful steps now fails).


Files

foreman_setup.log foreman_setup.log 209 KB Output from "foreman-installer -v" Alex Kinneer, 08/27/2018 03:01 PM
Actions

Also available in: Atom PDF