Bug #5487
closedcant run with SELinix in enforcing after upgrade to 1.5RC2
Added by Ade Bradshaw over 10 years ago. Updated over 6 years ago.
Description
After upgrading so RC2, I get errors in the WebUI
Oops, we're sorry but something went wrong
Warning!
File exists - /usr/share/foreman/tmp
When doing setenforce 0 it works fine
With setenforce 1 it fails every time
I have grep'd my denied messages from the audit log (will attach)
Files
Updated by Dominic Cleal over 10 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
- Target version set to 1.8.3
- Translation missing: en.field_release set to 4
Updated by Lukas Zapletal over 10 years ago
Hey thanks for the report, I am unable to confirm with nightly. Can you please give me:
ps auxZwww
Updated by Ade Bradshaw over 10 years ago
Hi Lukas
Here you go, let me know if you need any thing else
Updated by Lukas Zapletal over 10 years ago
Ok this explains everything. Both puppet master and foreman are running in wrong domain httpd_t instead of passenger_t.
Can you please now pastebin the following (versions of the RPM packages or in directories might be slightly different):
[root@nightly ~]# rpm -qa | grep passenger rubygem-passenger-native-4.0.18-9.4.el6.x86_64 ruby193-rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64 rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64 mod_passenger-4.0.18-9.4.el6.x86_64 ruby193-rubygem-passenger-4.0.18-9.4.el6.x86_64 ruby193-rubygem-passenger-native-4.0.18-9.4.el6.x86_64 rubygem-passenger-4.0.18-9.4.el6.x86_64 [root@nightly ~]# rpm -ql ruby193-rubygem-passenger-native /etc/logrotate.d/ruby193-passenger /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerHelperAgent /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerLoggingAgent /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/SpawnPreparer /opt/rh/ruby193/root/var/log/passenger-analytics [root@nightly ~]# rpm -ql rubygem-passenger-native /etc/logrotate.d/passenger /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerHelperAgent /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerLoggingAgent /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerWatchdog /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/SpawnPreparer /var/log/passenger-analytics [root@nightly ~]# ls /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents -Z -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerHelperAgent -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerWatchdog -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 SpawnPreparer [root@nightly ~]# ls /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents -Z -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerHelperAgent -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerLoggingAgent -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 PassengerWatchdog -rwxr-xr-x. root root system_u:object_r:passenger_exec_t:s0 SpawnPreparer
Also show me your SELinux policy and foreman policy version numbers and then paste me output of our file context:
[root@nightly ~]# rpm -q selinux-policy foreman-selinux selinux-policy-3.7.19-231.el6.noarch foreman-selinux-1.6.0-0.develop.201404281258git0e094fe.el6.noarch [root@nightly ~]# cat /usr/share/doc/foreman-selinux-1.6.0/foreman.fc
Updated by Ade Bradshaw over 10 years ago
Hi Lukas
rubygem-passenger-4.0.18-9.4.el6.x86_64
rubygem-passenger-native-4.0.18-9.4.el6.x86_64
mod_passenger-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-4.0.18-9.4.el6.x86_64
rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-libs-4.0.18-9.4.el6.x86_64
ruby193-rubygem-passenger-native-4.0.18-9.4.el6.x86_64
/etc/logrotate.d/ruby193-passenger
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerHelperAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerLoggingAgent
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/PassengerWatchdog
/opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents/SpawnPreparer
/opt/rh/ruby193/root/var/log/passenger-analytics
/etc/logrotate.d/passenger
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerHelperAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerLoggingAgent
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/PassengerWatchdog
/usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents/SpawnPreparer
/var/log/passenger-analytics
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 SpawnPreparer
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerHelperAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerLoggingAgent
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 PassengerWatchdog
-rwxr-xr-x. root root system_u:object_r:lib_t:s0 SpawnPreparer
selinux-policy-3.7.19-231.el6_5.1.noarch
foreman-selinux-1.5.0-0.2.RC2.el6.noarch
Updated by Lukas Zapletal over 10 years ago
Confirmed, strange, foreman-selinux should relabel during installation automatically. Can you do:
- foreman-selinux-relabel
Then check the labels and if these were fixed you can set enforcing back and restart apache.
- ls /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-4.0.18/agents -Z
- ls /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents -Z
Is it possible you installed/upgraded the instance when SELinux was turned off? In that case, relabel is not initiated.
Updated by Ade Bradshaw over 10 years ago
My server runs in Enforcing, in fact puppet makes sure it is always in enforcing :-D
OK, ran the relabel and restarted 8and rebooted) still doesnt run unless Im in permissive mode
Updated by Joop van de Wege over 10 years ago
Lukas Zapletal wrote:
Confirmed, strange, foreman-selinux should relabel during installation automatically. Can you do:
- foreman-selinux-relabel
I have the same problem and running the above outputs info about fixing /etc/foreman folders but not /opt/rh/ruby193/root/user/lib64/...
My foreman-selinux is version 1.5.0-0.2.RC2.el6 while you refer to 1.6.0.
Joop
Updated by Lukas Zapletal over 10 years ago
- Category set to Packaging
- Status changed from Assigned to Ready For Testing
- Difficulty set to easy
All right, found the bug. My bad. The patch is here:
https://github.com/theforeman/foreman-selinux/pull/16
Temporary workaround:
/sbin/restorecon -rvvi \ /opt/rh/ruby193/root/usr/share/gems/gems/passenger-* \ /opt/rh/ruby193/root/usr/lib64/gems/exts/passenger-*/agents \ /usr/lib/ruby/gems/1.8/gems/passenger-* \ /usr/lib64/ruby/site_ruby/1.8/x86_64-linux/agents
Updated by Ade Bradshaw over 10 years ago
thanks a lot, that works perfectly, Im now back in Enforcing mode :D
Updated by Anonymous over 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset b5f521e7b6514204772e627a63a1102ceb1546ec.
Updated by Dominic Cleal over 10 years ago
- Translation missing: en.field_release changed from 4 to 17
Updated by Dominic Cleal over 10 years ago
- Related to Bug #5466: Latest passenger update broke SELinux file contexts added