Bug #3465: AVC denials with Foreman 1.3 on RHEL 6 - SELinux - Foreman

Actions

Copy link

Bug #3465

closed

AVC denials with Foreman 1.3 on RHEL 6

Added by Jan Pazdziora over 11 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Lukas Zapletal

Category:

Packaging

Target version:

1.5.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

A fresh installation of Foreman from http://yum.theforeman.org/releases/1.3/el6/$basearch on RHEL 6.4 gives the following AVC denials:

type=AVC msg=audit(1382419667.548:274): avc:  denied  { search } for  pid=15804 comm="ruby" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { read } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { open } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.549:275): avc:  denied  { read } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:275): avc:  denied  { open } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:276): avc:  denied  { getattr } for  pid=15804 comm="ruby" path="/sys/devices/system/node/node0/meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.551:277): avc:  denied  { read } for  pid=15804 comm="ruby" name="random" dev=devtmpfs ino=3702 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

or to show it with macros,

dev_list_sysfs(passenger_t)
dev_read_rand(passenger_t)
dev_read_sysfs(passenger_t)

The only passenger booleans I can see are both on:

# getsebool -a | grep passenger
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Also available in: Atom PDF

	Related to SELinux - Bug #3895: AVC denials from Foreman 1.3 installation	Resolved		12/17/2013			Actions
	Has duplicate SELinux - Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file	Duplicate		02/26/2014			Actions

Project

General

Profile

Foreman » SELinux

Custom queries

Bug #3465

AVC denials with Foreman 1.3 on RHEL 6

Updated by Dominic Cleal over 11 years ago

Updated by Jan Pazdziora over 11 years ago

Updated by Dominic Cleal over 11 years ago

Updated by Lukas Zapletal over 11 years ago

Updated by Jan Pazdziora over 11 years ago

Updated by Dominic Cleal over 11 years ago

Updated by Dominic Cleal about 11 years ago

Updated by Dominic Cleal almost 11 years ago

Updated by Lukas Zapletal almost 11 years ago

Updated by Dominic Cleal almost 11 years ago

Updated by Anonymous almost 11 years ago