Project

General

Profile

Actions
Copy link

Bug #5808

closed

AVC denied { read } for comm="ruby" name="migrate" dev=dm-0 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file

Added by Jan Pazdziora almost 10 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Packaging
Target version:
1.5.1
Difficulty:
Triaged:
Bugzilla link:
1107684
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

With fresh install of Foreman develop on RHEL 6.5 using

https://github.com/sstephenson/bats.git

https://github.com/theforeman/foreman-bats.git

https://raw.github.com/theforeman/foreman-bats/master/bootstrap.sh

I then see AVC denial

type=SYSCALL msg=audit(1400573528.296:205): arch=c000003e syscall=2 success=yes exit=8 a0=8a351a0 a1=90800 a2=8a35100 a3=2 items=0 ppid=32008 pid=32011 auid=4294967295 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1400573528.296:205): avc: denied { read } for pid=32011 comm="ruby" name="migrate" dev=dm-0 ino=661342 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file

after restart of Apache.

Actions
Copy link
 #1

Updated by Dominic Cleal almost 10 years ago

  • Project changed from Foreman to SELinux
Actions
Copy link
 #2

Updated by Lukas Zapletal almost 10 years ago

  • Category set to Packaging
  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Target version set to 1.8.2

Rails reads all files in scripts/ subdirectory and since migrate is symlink and symlinks were not allowed by our rules, this fails.

I am changing to more opened admin_pattern which is safe in this context:

define(`admin_pattern',`
        manage_dirs_pattern($1,$2,$2)
        manage_files_pattern($1,$2,$2)
        manage_lnk_files_pattern($1,$2,$2)
        manage_fifo_files_pattern($1,$2,$2)
        manage_sock_files_pattern($1,$2,$2)

        relabel_dirs_pattern($1,$2,$2)
        relabel_files_pattern($1,$2,$2)
        relabel_lnk_files_pattern($1,$2,$2)
        relabel_fifo_files_pattern($1,$2,$2)
        relabel_sock_files_pattern($1,$2,$2)
')

https://github.com/theforeman/foreman-selinux/pull/18

Actions
Copy link
 #3

Updated by Dominic Cleal almost 10 years ago

  • translation missing: en.field_release set to 16
Actions
Copy link
 #4

Updated by Anonymous almost 10 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link
 #5

Updated by Bryan Kearney almost 10 years ago

  • Bugzilla link set to https://bugzilla.redhat.com/show_bug.cgi?id=1107684
Actions
Copy link

Also available in: Atom PDF