Project

General

Custom queries

Profile

Actions
Copy link

Bug #3465

closed

AVC denials with Foreman 1.3 on RHEL 6

Added by Jan Pazdziora over 11 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Packaging
Target version:
1.5.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

A fresh installation of Foreman from http://yum.theforeman.org/releases/1.3/el6/$basearch on RHEL 6.4 gives the following AVC denials:

type=AVC msg=audit(1382419667.548:274): avc:  denied  { search } for  pid=15804 comm="ruby" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { read } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.548:274): avc:  denied  { open } for  pid=15804 comm="ruby" name="node" dev=sysfs ino=1615 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1382419667.549:275): avc:  denied  { read } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:275): avc:  denied  { open } for  pid=15804 comm="ruby" name="meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.549:276): avc:  denied  { getattr } for  pid=15804 comm="ruby" path="/sys/devices/system/node/node0/meminfo" dev=sysfs ino=1652 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1382419667.551:277): avc:  denied  { read } for  pid=15804 comm="ruby" name="random" dev=devtmpfs ino=3702 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file

or to show it with macros,

dev_list_sysfs(passenger_t)
dev_read_rand(passenger_t)
dev_read_sysfs(passenger_t)

The only passenger booleans I can see are both on:

# getsebool -a | grep passenger
passenger_run_foreman --> on
passenger_run_puppetmaster --> on

Related issues 2 (0 open2 closed)

Related to SELinux - Bug #3895: AVC denials from Foreman 1.3 installationResolved12/17/2013Actions
Has duplicate SELinux - Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=fileDuplicate02/26/2014Actions
#1

Updated by Dominic Cleal over 11 years ago

  • Project changed from Foreman to SELinux
#3

Updated by Dominic Cleal over 11 years ago

  • Priority changed from High to Normal
#7

Updated by Dominic Cleal over 11 years ago

  • Related to Bug #3895: AVC denials from Foreman 1.3 installation added
#8

Updated by Dominic Cleal about 11 years ago

  • Has duplicate Bug #4458: AVC denials aboutname="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file added
#9

Updated by Lukas Zapletal about 11 years ago

  • Category set to Packaging
  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Target version set to 1.9.1
#10

Updated by Dominic Cleal about 11 years ago

  • Translation missing: en.field_release set to 4
#11

Updated by Anonymous about 11 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF