Actions
Support #24616
closedPassenger does not transition into passenger_t domain
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Triaged:
No
Fixed in Releases:
Found in Releases:
Description
Steps:
1. Minimal install of CentOs 7.4, with SELinux enabled
2.
sudo yum -y install https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm
3.
sudo yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
4.
sudo yum -y install https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm
5.
sudo yum -y install foreman-installer
6. Place foreman-answers.yaml file -- foreman-selinux param is left as default (undef), database parameters are configured to point to an external host with postgresql already installed and running.
7.
foreman-installer
Among the output will be the following, but the installer does not fail and reports everything is ready upon completion:
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17 foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0) foreman: Failed to read policy package libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). OSError: No such file or directory ValueError: Type foreman_container_port_t is invalid, must be a port type
8. Attempt to connect to web UI, receive the following error dump:
could not connect to server: Permission denied Is the server running on host "<HOST>" (<IP>) and accepting TCP/IP connections on port 5432? (PG::ConnectionBad) /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize' /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `new' /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `connect' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:697:in `connect' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:221:in `initialize' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `new' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `postgresql_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:759:in `new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:803:in `checkout_new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:782:in `try_to_checkout_new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:743:in `acquire_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:500:in `checkout' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:374:in `connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:931:in `retrieve_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:116:in `retrieve_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:88:in `connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:20:in `table_exists?' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:24:in `create_table' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/migration.rb:1125:in `initialize' /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `new' /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `pending_migrations' /usr/share/foreman/app/registries/foreman/plugin.rb:265:in `permission' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:50:in `block (3 levels) in <class:Engine>' /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `instance_eval' /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `security_block' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:49:in `block (2 levels) in <class:Engine>' /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `instance_eval' /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `register' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:45:in `block in <class:Engine>' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `instance_exec' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `run' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:59:in `block in run_initializers' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:228:in `block in tsort_each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `call' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:226:in `tsort_each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:205:in `tsort_each' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:58:in `run_initializers' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/application.rb:353:in `initialize!' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `public_send' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `method_missing' /usr/share/foreman/config/environment.rb:5:in `<top (required)>' /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' config.ru:5:in `block in <main>' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `instance_eval' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `initialize' config.ru:1:in `new' config.ru:1:in `<main>' /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval' /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app' /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>' /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>' /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'
9. Install postgresql client and test same connection parameters manually: database connect is successful.
Workaround:
1. setenforce 0
2. Reload web UI page -- now loads successfully.
audit.log shows numerous errors, of the following three types:
type=AVC msg=audit(1534268634.110:304): avc: denied { name_connect } for pid=1848 comm="ruby" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1534268634.110:304): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7620c90 a2=10 a3=7ffd64da5198 items=0 ppid=1847 pid=1848 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby24/root/usr/bin/ruby" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1534268634.110:304): proctitle=72756279002F7573722F73686172652F70617373656E6765722F68656C7065722D736372697074732F7261636B2D7072656C6F616465722E7262 type=AVC msg=audit(1534268634.245:305): avc: denied { fowner } for pid=1858 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1534268634.245:305): arch=c000003e syscall=268 success=no exit=-1 a0=ffffffffffffff9c a1=1309120 a2=1c0 a3=7ffeca864ba0 items=0 ppid=903 pid=1858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1534268634.348:315): avc: denied { block_suspend } for pid=903 comm="PassengerHelper" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 type=SYSCALL msg=audit(1534268634.348:315): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=500000014 a3=12dc440 items=0 ppid=899 pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/libexec/passenger/PassengerHelperAgent" subj=system_u:system_r:httpd_t:s0 key=(null)
I believe this is a recent regression, as it was working as recently as last Friday with 1.17 (a current install of 1.17 following exact same previously successful steps now fails).
Files
Updated by Lukas Zapletal almost 7 years ago
- Tracker changed from Bug to Support
- Project changed from Foreman to SELinux
- Subject changed from foreman-selinux package (silently) failing on default install; blocks connection to external postgresql host to Passenger does not transition into passenger_t domain
- Priority changed from High to Normal
Actions