Project

General

Profile

Bug #26951

foreman-tasks won't start if SELinux is enforcing

Added by Lukas Zapletal about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
High
Assignee:
Lukas Zapletal
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
1670109
Pull request:
https://github.com/theforeman/foreman-selinux/pull/93
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Steps to Reproduce:
If SELinux is set to enforce foreman-tasks won't start. The error from the audit.log follows.
audit2why
type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

audit2allow
type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1543433823.151:252): arch=c000003e syscall=10 success=no exit=-13 a0=7f202c745000 a1=1000 a2=5 a3=7ffc0b1b5aa0 items=0 ppid=23533 pid=23534 auid=4294967295 uid=991 gid=987 euid=991 suid=991 fsuid=991 egid=987 sgid=987 fsgid=987 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby23/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1543433823.151:252): proctitle=72756279002F7573722F62696E2F666F72656D616E2D7461736B73007374617274
type=SERVICE_START msg=audit(1543433823.279:253): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=foreman-tasks comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1543433823.151:252): avc: denied { execmem } for pid=23534 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process permissive=0

#============= passenger_t ==============
allow passenger_t self:process execmem;

Associated revisions

Revision 61cb1773 (diff)
Added by Lukas Zapletal about 4 years ago

Fixes #26951 - allow execmem in passenger too

History

#1 Updated by The Foreman Bot about 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/93 added

#2 Updated by Anonymous about 4 years ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF