Actions
Bug #2789
closed
SELinux denials in 1.2
Description
We have couple of denials in the 1.2 release.
First bunch reported by Yaniv Kaul:
type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
pid=1303 comm="ruby"
name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
ino=792378 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1373816913.320:18): avc: denied { rename } for
pid=1303 comm="ruby"
name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
ino=792378 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1373816913.320:18): avc: denied { unlink } for
pid=1303 comm="ruby" name="foreman.xiolab.lab.abc.com.yaml" dev=dm-0
ino=792350 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1373816913.949:19): avc: denied { getattr } for
pid=1303 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=44
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1373816913.949:20): avc: denied { execute } for
pid=1303 comm="ruby" name="ifconfig" dev=dm-0 ino=44
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1373816913.953:21): avc: denied { read open } for
pid=1416 comm="sh" name="ifconfig" dev=dm-0 ino=44
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1373816913.953:21): avc: denied { execute_no_trans }
for pid=1416 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=44
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1373816913.953:22): avc: denied { read } for pid=1416
comm="ifconfig" name="unix" dev=proc ino=4026532007
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1373816913.954:23): avc: denied { search } for
pid=1416 comm="ifconfig" scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1373816913.954:24): avc: denied { open } for pid=1416
comm="ifconfig" name="dev" dev=proc ino=4026531979
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1373816913.954:25): avc: denied { getattr } for
pid=1416 comm="ifconfig" path="/proc/1416/net/dev" dev=proc ino=4026531979
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1373816914.351:26): avc: denied { sys_tty_config } for
pid=1423 comm="rm" capability=26
scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:system_r:passenger_t:s0 tclass=capability
type=AVC msg=audit(1373816974.509:44): avc: denied { getattr } for
pid=1303 comm="ruby"
path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1373817034.643:45): avc: denied { name_bind } for
pid=1303 comm="ruby" src=17117 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
Second bunch reported by me running nightly (occurs after some time even when Foreman is not accessed at all):
- grep AVC /var/log/audit/audit.log | paste
http://sprunge.us/SgXE
- cat /var/log/audit/audit.log | audit2allow -R | paste
http://sprunge.us/HQDf
Updated by Dominic Cleal over 11 years ago
- Project changed from Foreman to SELinux
- Category deleted (
56)
Updated by Dominic Cleal over 11 years ago
- Status changed from New to Ready For Testing
Updated by Anonymous over 11 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset ba3378a8671b1d88ec1b865f2942050ec993e395.
Actions