Bug #3895: AVC denials from Foreman 1.3 installation - SELinux - Foreman

Actions

Copy link

Bug #3895

closed

AVC denials from Foreman 1.3 installation

Added by Dominic Cleal almost 11 years ago. Updated over 10 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

No discernible impact on the application or installation.

Dec 17 10:33:02 puma39 kernel: type=1400 audit(1387269182.837:6): avc:  denied  { search } for  pid=18188 comm="PassengerHelper" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passe
nger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 10:33:02 puma39 kernel: type=1400 audit(1387269182.837:7): avc:  denied  { read } for  pid=18188 comm="PassengerHelper" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:p
assenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:33:02 puma39 kernel: type=1400 audit(1387269182.837:8): avc:  denied  { open } for  pid=18188 comm="PassengerHelper" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:p
assenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:33:14 puma39 kernel: type=1400 audit(1387269194.886:9): avc:  denied  { name_connect } for  pid=18244 comm="ruby" dest=9090 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=s
ystem_u:object_r:websm_port_t:s0 tclass=tcp_socket
Dec 17 10:39:58 puma39 kernel: type=1400 audit(1387269598.109:10): avc:  denied  { name_connect } for  pid=18244 comm="ruby" dest=9090 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=
system_u:object_r:websm_port_t:s0 tclass=tcp_socket
Dec 17 10:40:03 puma39 kernel: type=1400 audit(1387269603.002:11): avc:  denied  { search } for  pid=18782 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tc
ontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 10:40:03 puma39 kernel: type=1400 audit(1387269603.002:12): avc:  denied  { read } for  pid=18782 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s
0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:40:03 puma39 kernel: type=1400 audit(1387269603.002:13): avc:  denied  { open } for  pid=18782 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s
0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.115:14): avc:  denied  { relabelto } for  pid=18794 comm="ruby" name="yaml" dev=dm-0 ino=15992250 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.128:15): avc:  denied  { relabelto } for  pid=18794 comm="ruby" name="masterhttp.log" dev=dm-0 ino=15992648 scontext=unconfined_u:sy
stem_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.136:16): avc:  denied  { relabelto } for  pid=18794 comm="ruby" name="puma39.scl.lab.tlv.redhat.com.pem" dev=dm-0 ino=16122798 scont
ext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.419:17): avc:  denied  { name_bind } for  pid=18819 comm="ruby" src=22417 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=sys
tem_u:object_r:port_t:s0 tclass=udp_socket
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.892:18): avc:  denied  { execute } for  pid=18823 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 10:40:22 puma39 kernel: type=1400 audit(1387269622.893:19): avc:  denied  { execute_no_trans } for  pid=18823 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unco
nfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 10:42:40 puma39 kernel: type=1400 audit(1387269760.627:20): avc:  denied  { execute } for  pid=18997 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:pas
senger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 10:42:40 puma39 kernel: type=1400 audit(1387269760.627:21): avc:  denied  { execute_no_trans } for  pid=18997 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unco
nfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 10:42:41 puma39 kernel: type=1400 audit(1387269761.702:22): avc:  denied  { search } for  pid=19042 comm="rpm" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 t
context=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 10:42:41 puma39 kernel: type=1400 audit(1387269761.702:23): avc:  denied  { read } for  pid=19042 comm="rpm" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:
s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:42:41 puma39 kernel: type=1400 audit(1387269761.702:24): avc:  denied  { open } for  pid=19042 comm="rpm" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:
s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 10:42:43 puma39 kernel: type=1400 audit(1387269763.037:25): avc:  denied  { getattr } for  pid=18819 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=21495887 scontext=uncon
fined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 10:42:43 puma39 kernel: type=1400 audit(1387269763.038:26): avc:  denied  { execute } for  pid=18819 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=21495887 scontext=unconfined_
u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=fileDec 17 10:42:43 puma39 kernel: type=1400 audit(1387269763.040:27): avc:  denied  { read open } for  pid=19100 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=21495887 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 10:42:43 puma39 kernel: type=1400 audit(1387269763.040:28): avc:  denied  { execute_no_trans } for  pid=19100 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=21495887 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 10:54:52 puma39 kernel: type=1400 audit(1387270492.145:29): avc:  denied  { execute } for  pid=19452 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 10:54:52 puma39 kernel: type=1400 audit(1387270492.145:30): avc:  denied  { execute_no_trans } for  pid=19452 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:01:03 puma39 kernel: type=1400 audit(1387270863.002:31): avc:  denied  { read } for  pid=19952 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:01:03 puma39 kernel: type=1400 audit(1387270863.002:32): avc:  denied  { open } for  pid=19952 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:01:08 puma39 kernel: type=1400 audit(1387270868.001:33): avc:  denied  { search } for  pid=19954 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 11:10:28 puma39 kernel: type=1400 audit(1387271428.002:34): avc:  denied  { search } for  pid=20198 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 11:11:22 puma39 kernel: type=1400 audit(1387271482.294:35): avc:  denied  { execute } for  pid=20226 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:11:22 puma39 kernel: type=1400 audit(1387271482.295:36): avc:  denied  { execute_no_trans } for  pid=20226 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:16:18 puma39 kernel: type=1400 audit(1387271778.002:37): avc:  denied  { read } for  pid=20613 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:16:18 puma39 kernel: type=1400 audit(1387271778.002:38): avc:  denied  { open } for  pid=20613 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:27:03 puma39 kernel: type=1400 audit(1387272423.002:39): avc:  denied  { execute } for  pid=20883 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:27:03 puma39 kernel: type=1400 audit(1387272423.002:40): avc:  denied  { execute_no_trans } for  pid=20883 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:30:33 puma39 kernel: type=1400 audit(1387272633.002:41): avc:  denied  { read } for  pid=21256 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:30:33 puma39 kernel: type=1400 audit(1387272633.002:42): avc:  denied  { open } for  pid=21256 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:31:53 puma39 kernel: type=1400 audit(1387272713.001:43): avc:  denied  { search } for  pid=8173 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 11:31:53 puma39 kernel: type=1400 audit(1387272713.001:44): avc:  denied  { read } for  pid=8173 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:31:53 puma39 kernel: type=1400 audit(1387272713.001:45): avc:  denied  { open } for  pid=8173 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 11:41:23 puma39 kernel: type=1400 audit(1387273283.103:46): avc:  denied  { execute } for  pid=8990 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:41:23 puma39 kernel: type=1400 audit(1387273283.103:47): avc:  denied  { execute_no_trans } for  pid=8990 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 11:41:31 puma39 kernel: type=1400 audit(1387273291.252:48): avc:  denied  { getattr } for  pid=20466 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=21495971 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 11:41:31 puma39 kernel: type=1400 audit(1387273291.252:49): avc:  denied  { execute } for  pid=20466 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=21495971 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 11:41:31 puma39 kernel: type=1400 audit(1387273291.254:50): avc:  denied  { read open } for  pid=9109 comm="ruby" name="iptables-multi-1.4.7" dev=dm-0 ino=21495971 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 11:41:31 puma39 kernel: type=1400 audit(1387273291.255:51): avc:  denied  { execute_no_trans } for  pid=9109 comm="ruby" path="/sbin/iptables-multi-1.4.7" dev=dm-0 ino=21495971 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
Dec 17 12:00:03 puma39 kernel: type=1400 audit(1387274403.002:52): avc:  denied  { search } for  pid=9895 comm="ps" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
Dec 17 12:00:03 puma39 kernel: type=1400 audit(1387274403.002:53): avc:  denied  { read } for  pid=9895 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 12:00:03 puma39 kernel: type=1400 audit(1387274403.002:54): avc:  denied  { open } for  pid=9895 comm="ps" name="online" dev=sysfs ino=23 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
Dec 17 12:57:02 puma39 kernel: type=1400 audit(1387277822.628:55): avc:  denied  { execute } for  pid=11925 comm="ruby" name="node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
Dec 17 12:57:02 puma39 kernel: type=1400 audit(1387277822.628:56): avc:  denied  { execute_no_trans } for  pid=11925 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=2622475 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file

(https://bugzilla.redhat.com/show_bug.cgi?id=1043887)

Related issues 2 (0 open — 2 closed)

Actions

Copy link

Also available in: Atom PDF

	Related to SELinux - Bug #3465: AVC denials with Foreman 1.3 on RHEL 6	Closed	Lukas Zapletal	10/22/2013			Actions
	Related to Installer - Bug #5924: Puppetmaster denial for node.rb	Closed	Lukas Zapletal	05/26/2014			Actions

Project

General

Profile

Foreman » SELinux

Custom queries

Bug #3895

AVC denials from Foreman 1.3 installation

Updated by Dominic Cleal almost 11 years ago

Updated by Dominic Cleal over 10 years ago

Updated by Lukas Zapletal over 10 years ago

Updated by Lukas Zapletal over 10 years ago

Updated by Lukas Zapletal over 10 years ago