Project

General

Profile

Actions

Bug #5487

closed

cant run with SELinix in enforcing after upgrade to 1.5RC2

Added by Ade Bradshaw over 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
Packaging
Target version:
Difficulty:
easy
Triaged:
Fixed in Releases:
Found in Releases:

Description

After upgrading so RC2, I get errors in the WebUI

Oops, we're sorry but something went wrong
Warning!
File exists - /usr/share/foreman/tmp

When doing setenforce 0 it works fine

With setenforce 1 it fails every time

I have grep'd my denied messages from the audit log (will attach)


Files

avcs.log avcs.log 1.34 MB Ade Bradshaw, 04/29/2014 01:34 PM

Related issues 1 (0 open1 closed)

Related to SELinux - Bug #5466: Latest passenger update broke SELinux file contextsClosedLukas Zapletal04/28/2014Actions
Actions #1

Updated by Dominic Cleal over 10 years ago

  • Status changed from New to Assigned
  • Assignee set to Lukas Zapletal
  • Target version set to 1.8.3
  • Translation missing: en.field_release set to 4
Actions #2

Updated by Lukas Zapletal over 10 years ago

Hey thanks for the report, I am unable to confirm with nightly. Can you please give me:

ps auxZwww

Actions #3

Updated by Ade Bradshaw over 10 years ago

Hi Lukas

Here you go, let me know if you need any thing else

http://paste.fedoraproject.org/97812/98782278/

Actions #4

Updated by Lukas Zapletal over 10 years ago

Ok this explains everything. Both puppet master and foreman are running in wrong domain httpd_t instead of passenger_t.

Can you please now pastebin the following (versions of the RPM packages or in directories might be slightly different):

[root@nightly ~]# rpm -qa | grep passenger
rubygem-passenger-native-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
mod_passenger-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-4.0.18-9.4.el6.x86_64
rubygem-passenger-4.0.18-9.4.el6.x86_64
[root@nightly ~]# rpm -ql ruby193-rubygem-passenger-native
/etc/logrotate.d/ruby193-passenger
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerHelperAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerLoggingAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/SpawnPreparer
/opt/rh/ruby193/root/var/log/passenger-analytics
[root@nightly ~]# rpm -ql rubygem-passenger-native
/etc/logrotate.d/passenger
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerHelperAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerLoggingAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerWatchdog
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/SpawnPreparer
/var/log/passenger-analytics
[root@nightly ~]# ls /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents -Z
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 SpawnPreparer
[root@nightly ~]# ls /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents -Z
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 SpawnPreparer

Also show me your SELinux policy and foreman policy version numbers and then paste me output of our file context:

[root@nightly ~]# rpm -q selinux-policy foreman-selinux
selinux-policy-3.7.19-231.el6.noarch
foreman-selinux-1.6.0-0.develop.201404281258git0e094fe.el6.noarch
[root@nightly ~]# cat /usr/share/doc/foreman-selinux-1.6.0/foreman.fc
Actions #5

Updated by Ade Bradshaw over 10 years ago

Hi Lukas

rubygem-passenger-4.0.18-9.4.el6.x86_64
rubygem-passenger-native-4.0.18-9.4.el6.x86_64
mod_passenger-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-4.0.18-9.4.el6.x86_64
rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-4.0.18-9.4.el6.x86_64
/etc/logrotate.d/ruby193-passenger
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerHelperAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerLoggingAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/SpawnPreparer
/opt/rh/ruby193/root/var/log/passenger-analytics
/etc/logrotate.d/passenger
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerHelperAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerLoggingAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerWatchdog
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/SpawnPreparer
/var/log/passenger-analytics

-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 SpawnPreparer

-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 SpawnPreparer

selinux-policy-3.7.19-231.el6_5.1.noarch
foreman-selinux-1.5.0-0.2.RC2.el6.noarch

Actions #6

Updated by Lukas Zapletal over 10 years ago

Confirmed, strange, foreman-selinux should relabel during installation automatically. Can you do:

  1. foreman-selinux-relabel

Then check the labels and if these were fixed you can set enforcing back and restart apache.

  1. ls /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents -Z
  2. ls /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents -Z

Is it possible you installed/upgraded the instance when SELinux was turned off? In that case, relabel is not initiated.

Actions #7

Updated by Ade Bradshaw over 10 years ago

My server runs in Enforcing, in fact puppet makes sure it is always in enforcing :-D

OK, ran the relabel and restarted 8and rebooted) still doesnt run unless Im in permissive mode

Actions #8

Updated by Joop van de Wege over 10 years ago

Lukas Zapletal wrote:

Confirmed, strange, foreman-selinux should relabel during installation automatically. Can you do:

  1. foreman-selinux-relabel

I have the same problem and running the above outputs info about fixing /etc/foreman folders but not /opt/rh/ruby193/root/user/lib64/...

My foreman-selinux is version 1.5.0-0.2.RC2.el6 while you refer to 1.6.0.

Joop

Actions #9

Updated by Lukas Zapletal over 10 years ago

  • Category set to Packaging
  • Status changed from Assigned to Ready For Testing
  • Difficulty set to easy

All right, found the bug. My bad. The patch is here:

https://github.com/theforeman/foreman-selinux/pull/16

Temporary workaround:

  /sbin/restorecon -rvvi \
  /opt/rh/ruby193/root/usr/share/gems/gems/passenger-* \
  /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-*/agents \
  /usr/lib/ruby/gems/1.8/gems/passenger-* \
  /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents
Actions #10

Updated by Ade Bradshaw over 10 years ago

thanks a lot, that works perfectly, Im now back in Enforcing mode :D

Actions #11

Updated by Dominic Cleal over 10 years ago

Thanks for confirming!

Actions #12

Updated by Anonymous over 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #13

Updated by Dominic Cleal over 10 years ago

  • Translation missing: en.field_release changed from 4 to 17
Actions #14

Updated by Dominic Cleal over 10 years ago

  • Related to Bug #5466: Latest passenger update broke SELinux file contexts added
Actions

Also available in: Atom PDF