Project

General

Profile

Bug #3159

SELinux denials when installing foreman-* packages

Added by Lukas Zapletal about 5 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Sam Kottler
Category:
-
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Steps to reproduce (setenforce 0):

1. Install Foreman 1.3 RC2, configure, start.
2. yum y install foreman*
3. service httpd restart

RHEL6:

Info: Searching AVC errors produced since 1380240595.37 (Thu Sep 26 20:09:55 2013)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/26/2013 20:09:55 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.rNlVEY 2>&1'
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.063:73): arch=c000003e syscall=90 success=yes exit=0 a0=136aa40 a1=1e8 a2=0 a3=7fff6a064830 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.063:73): avc:  denied  { setattr } for  pid=13294 comm="ruby" name="reports" dev=dm-0 ino=2097545 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.067:74): arch=c000003e syscall=90 success=yes exit=0 a0=18f8550 a1=1e8 a2=0 a3=8 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.067:74): avc:  denied  { setattr } for  pid=13294 comm="ruby" name="yaml" dev=dm-0 ino=2097405 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.068:75): arch=c000003e syscall=189 success=yes exit=0 a0=115b870 a1=7fe4a799a2d9 a2=10cf470 a3=26 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.068:75): avc:  denied  { relabelto } for  pid=13294 comm="ruby" name="yaml" dev=dm-0 ino=2097405 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1380240606.068:75): avc:  denied  { relabelfrom } for  pid=13294 comm="ruby" name="yaml" dev=dm-0 ino=2097405 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.070:76): arch=c000003e syscall=83 success=yes exit=0 a0=22ee660 a1=1e8 a2=22ee67b a3=7fff6a05ce40 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.070:76): avc:  denied  { create } for  pid=13294 comm="ruby" name="server_data" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.083:77): arch=c000003e syscall=189 success=yes exit=0 a0=2d1c410 a1=7fe4a799a2d9 a2=2d26910 a3=26 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.083:77): avc:  denied  { relabelto } for  pid=13294 comm="ruby" name="ca.pem" dev=dm-0 ino=2097521 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1380240606.083:77): avc:  denied  { relabelfrom } for  pid=13294 comm="ruby" name="ca.pem" dev=dm-0 ino=2097521 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.086:78): arch=c000003e syscall=189 success=yes exit=0 a0=14481e0 a1=7fe4a799a2d9 a2=1a47d60 a3=26 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.086:78): avc:  denied  { relabelfrom } for  pid=13294 comm="ruby" name="hp-z400-01.rhts.eng.bos.redhat.com.pem" dev=dm-0 ino=2097527 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.111:79): arch=c000003e syscall=189 success=yes exit=0 a0=1527150 a1=7fe4a799a2d9 a2=1639b50 a3=26 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.111:79): avc:  denied  { relabelto } for  pid=13294 comm="ruby" name="rrd" dev=dm-0 ino=2097601 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.127:80): arch=c000003e syscall=2 success=yes exit=6 a0=1920260 a1=241 a2=1b0 a3=1f items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.127:80): avc:  denied  { write } for  pid=13294 comm="ruby" name="masterhttp.log" dev=dm-0 ino=1970465 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_log_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.131:81): arch=c000003e syscall=189 success=yes exit=0 a0=165f320 a1=7fe4a799a2d9 a2=18a2400 a3=22 items=0 ppid=12837 pid=13294 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.131:81): avc:  denied  { relabelto } for  pid=13294 comm="ruby" name="masterhttp.log" dev=dm-0 ino=1970465 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file
type=AVC msg=audit(1380240606.131:81): avc:  denied  { relabelfrom } for  pid=13294 comm="ruby" name="masterhttp.log" dev=dm-0 ino=1970465 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_log_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.920:82): arch=c000003e syscall=4 success=yes exit=0 a0=1828650 a1=7fff6a055690 a2=7fff6a055690 a3=8 items=0 ppid=13294 pid=13330 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.920:82): avc:  denied  { getattr } for  pid=13330 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=2883598 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.920:83): arch=c000003e syscall=21 success=yes exit=0 a0=1828650 a1=1 a2=0 a3=8 items=0 ppid=13294 pid=13330 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.920:83): avc:  denied  { execute } for  pid=13330 comm="ruby" name="ifconfig" dev=dm-0 ino=2883598 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.925:84): arch=c000003e syscall=59 success=yes exit=0 a0=2217940 a1=2217a60 a2=2214df0 a3=7fffc207fd90 items=0 ppid=13545 pid=13547 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.925:84): avc:  denied  { execute_no_trans } for  pid=13547 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=2883598 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1380240606.925:84): avc:  denied  { read open } for  pid=13547 comm="sh" name="ifconfig" dev=dm-0 ino=2883598 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.926:85): arch=c000003e syscall=21 success=yes exit=0 a0=40d52e a1=4 a2=0 a3=7fff274bad90 items=0 ppid=13545 pid=13547 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.926:85): avc:  denied  { read } for  pid=13547 comm="ifconfig" name="unix" dev=proc ino=4026532007 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.926:86): arch=c000003e syscall=21 success=no exit=-2 a0=40c5d8 a1=4 a2=2 a3=7fff274bad90 items=0 ppid=13545 pid=13547 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.926:86): avc:  denied  { search } for  pid=13547 comm="ifconfig" scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.926:87): arch=c000003e syscall=2 success=yes exit=6 a0=40cfe3 a1=0 a2=1b6 a3=0 items=0 ppid=13545 pid=13547 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.926:87): avc:  denied  { open } for  pid=13547 comm="ifconfig" name="dev" dev=proc ino=4026531979 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.926:88): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fff274bae10 a2=7fff274bae10 a3=78 items=0 ppid=13545 pid=13547 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.926:88): avc:  denied  { getattr } for  pid=13547 comm="ifconfig" path="/proc/13547/net/dev" dev=proc ino=4026531979 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Thu Sep 26 20:10:06 2013
type=SYSCALL msg=audit(1380240606.979:89): arch=c000003e syscall=59 success=yes exit=0 a0=1794560 a1=7fff6a0679a0 a2=33d3d80 a3=7fff6a067700 items=0 ppid=13330 pid=13572 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="node.rb" exe="/bin/env" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380240606.979:89): avc:  denied  { execute_no_trans } for  pid=13572 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2757220 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1380240606.979:89): avc:  denied  { execute } for  pid=13572 comm="ruby" name="node.rb" dev=dm-0 ino=2757220 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
    Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.rNlVEY | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.ILc_V_ 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
Running 'rpm -q selinux-policy || true'
selinux-policy-3.7.19-195.el6.noarch

#============= passenger_t ==============
allow passenger_t ifconfig_exec_t:file { read getattr open execute execute_no_trans };
allow passenger_t proc_net_t:file { read getattr open };
allow passenger_t puppet_etc_t:file { execute execute_no_trans };
allow passenger_t puppet_log_t:file { write relabelto relabelfrom };
allow passenger_t puppet_var_lib_t:dir { relabelfrom relabelto create setattr };
allow passenger_t puppet_var_lib_t:file { relabelfrom relabelto };
allow passenger_t sysctl_net_t:dir search;

Fedora 18:

Info: Searching AVC errors produced since 1380244138.68 (Thu Sep 26 21:08:58 2013)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/26/2013 21:08:58 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.m3EBnL 2>&1'
----
time->Thu Sep 26 21:11:40 2013
type=SYSCALL msg=audit(1380244300.998:389): arch=c000003e syscall=4 success=no exit=-13 a0=7f62b6dd6728 a1=7ffff23efc70 a2=7ffff23efc70 a3=fffffffffffffee1 items=0 ppid=1 pid=9663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380244300.998:389): avc:  denied  { search } for  pid=9663 comm="httpd" name="puppet" dev="dm-1" ino=1835745 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
----
time->Thu Sep 26 21:11:41 2013
type=SYSCALL msg=audit(1380244301.013:390): arch=c000003e syscall=42 success=no exit=-13 a0=4 a1=7fe45f8097e0 a2=1c a3=7fe45c9bccd0 items=0 ppid=1 pid=7696 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380244301.013:390): avc:  denied  { name_connect } for  pid=7696 comm="httpd" dest=8140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
----
time->Thu Sep 26 21:11:42 2013
type=SYSCALL msg=audit(1380244302.171:393): arch=c000003e syscall=4 success=no exit=-13 a0=7ff5f1794728 a1=7fffc820d7f0 a2=7fffc820d7f0 a3=fffffffffffffee1 items=0 ppid=1 pid=9675 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380244302.171:393): avc:  denied  { search } for  pid=9675 comm="httpd" name="puppet" dev="dm-1" ino=1835745 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
----
time->Thu Sep 26 21:11:42 2013
type=SYSCALL msg=audit(1380244302.324:394): arch=c000003e syscall=4 success=no exit=-13 a0=7ff5f16867a8 a1=7fffc820d7f0 a2=7fffc820d7f0 a3=ffffffffffffff11 items=0 ppid=1 pid=9675 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380244302.324:394): avc:  denied  { search } for  pid=9675 comm="httpd" name="puppet" dev="dm-1" ino=1835745 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
    Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.m3EBnL | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.OeqI4s 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.11.1-103.fc18.noarch

#============= httpd_t ==============
allow httpd_t puppet_etc_t:dir search;
allow httpd_t puppet_port_t:tcp_socket name_connect;

Fedora 19:

Info: Searching AVC errors produced since 1380243685.88 (Thu Sep 26 21:01:25 2013)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/26/2013 21:01:25 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.CfOpxT 2>&1'
----
time->Thu Sep 26 21:03:04 2013
type=SYSCALL msg=audit(1380243784.811:151): arch=c000003e syscall=4 success=yes exit=0 a0=7ffa962a0828 a1=7fff1586f650 a2=7fff1586f650 a3=7ffa92dd67a0 items=0 ppid=1 pid=6864 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380243784.811:151): avc:  denied  { getattr } for  pid=6864 comm="httpd" path="/etc/puppet/rack/public" dev="dm-1" ino=2627003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
----
time->Thu Sep 26 21:03:04 2013
type=SYSCALL msg=audit(1380243784.813:152): arch=c000003e syscall=42 success=no exit=-115 a0=4 a1=7f2953ec97e0 a2=1c a3=7f2951181220 items=0 ppid=1 pid=5286 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380243784.813:152): avc:  denied  { name_connect } for  pid=5286 comm="httpd" dest=8140 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
----
time->Thu Sep 26 21:03:11 2013
type=SYSCALL msg=audit(1380243791.180:155): arch=c000003e syscall=4 success=yes exit=0 a0=7f1d13d7c828 a1=7fffba45b9e0 a2=7fffba45b9e0 a3=7f1d105c27a0 items=0 ppid=1 pid=6924 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1380243791.180:155): avc:  denied  { getattr } for  pid=6924 comm="httpd" path="/etc/puppet/rack/public" dev="dm-1" ino=2627003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir
----
time->Thu Sep 26 21:03:11 2013
type=SYSCALL msg=audit(1380243791.217:156): arch=c000003e syscall=5 success=yes exit=0 a0=1 a1=7fffff7149d0 a2=7fffff7149d0 a3=7fffff714780 items=0 ppid=6928 pid=6930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380243791.217:156): avc:  denied  { getattr } for  pid=6930 comm="ruby-mri" path="socket:[41542]" dev="sockfs" ino=41542 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
----
time->Thu Sep 26 21:03:11 2013
type=SYSCALL msg=audit(1380243791.220:157): arch=c000003e syscall=16 success=no exit=-25 a0=1 a1=5401 a2=7fffff714820 a3=f36228 items=0 ppid=6928 pid=6930 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="ruby-mri" exe="/usr/bin/ruby-mri" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1380243791.220:157): avc:  denied  { ioctl } for  pid=6930 comm="ruby-mri" path="socket:[41542]" dev="sockfs" ino=41542 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
    Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.CfOpxT | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.WUfA5W 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.12.1-74.4.fc19.noarch

#============= httpd_t ==============
allow httpd_t puppet_etc_t:dir getattr;
allow httpd_t puppet_port_t:tcp_socket name_connect;

#============= passenger_t ==============
allow passenger_t init_t:unix_stream_socket { getattr ioctl };

Associated revisions

Revision b0837e98 (diff)
Added by Sam Kottler about 5 years ago

Fixes #3159: prevent AVC denials related to passenger interaction with the puppet_*_t and a couple other domains

History

#1 Updated by Lukas Zapletal about 5 years ago

  • Related to Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final added

#2 Updated by Dominic Cleal about 5 years ago

  • Project changed from Foreman to SELinux
  • Category deleted (56)

#3 Updated by Sam Kottler about 5 years ago

  • Assignee set to Sam Kottler

#4 Updated by Sam Kottler about 5 years ago

  • Status changed from New to Ready For Testing

#5 Updated by Sam Kottler about 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Lukas Zapletal about 5 years ago

  • Related to deleted (Tracker #3112: [TRACKER] Issues to be released in 1.3 RC or final)

Also available in: Atom PDF