Project

General

Profile

Bug #8030

Permission denied - bind(2) on DNS lookup when creating a host

Added by Dwight Beaver over 4 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

I stood up an instance of Foreman on a centOS7 machine following the instructions at: http://www.theforeman.org/manuals/1.6/index.html#2.Quickstart

Everytime I try to add a new host I get the following error:

Warning!
Permission denied - bind(2)

Stack Trace
------------------------
Errno::EACCES
Permission denied - bind(2)
lib/net/dns.rb:17:in `block in lookup'
lib/net/dns.rb:15:in `lookup'
lib/net/dns.rb:62:in `dns_lookup'
lib/net/dns/ptr_record.rb:27:in `conflicts'
lib/net.rb:24:in `conflicting?'
app/models/concerns/orchestration/dns.rb:122:in `dns_conflict_detected?'
app/models/concerns/orchestration.rb:47:in `valid?'
app/models/concerns/foreman/sti.rb:29:in `save_with_type'
app/controllers/hosts_controller.rb:90:in `create'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

I think this is an SELinux policy issue. When I disabled SELinux, the error went away. From sealert:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /opt/rh/ruby193/root/usr/bin/ruby from name_bind access on the udp_socket .

  • Plugin bind_ports (92.2 confidence) suggests ****************
If you want to allow /opt/rh/ruby193/root/usr/bin/ruby to bind to network port 1251
Then you need to modify the port type.
Do
  1. semanage port -a -t -p udp 1251
  • Plugin catchall_boolean (7.83 confidence) suggests **********

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

  • Plugin catchall_boolean (7.83 confidence) suggests **********

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

  • Plugin catchall (1.41 confidence) suggests ******************
If you believe that ruby should be allowed name_bind access on the udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
  1. grep ruby /var/log/audit/audit.log | audit2allow -M mypol
  2. semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:passenger_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ udp_socket ]
Source ruby
Source Path /opt/rh/ruby193/root/usr/bin/ruby
Port 1251
Host <Unknown>
Source RPM Packages ruby193-ruby-1.9.3.484-49.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name foreman.test.dte.cert.org
Platform Linux foreman.test.dte.cert.org
3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22
UTC 2014 x86_64 x86_64
Alert Count 9
First Seen 2014-10-21 18:18:10 EDT
Last Seen 2014-10-22 10:20:01 EDT
Local ID 7eb1cafc-e517-41e3-892c-91c94c2c0790

Raw Audit Messages
type=AVC msg=audit(1413987601.193:1489): avc: denied { name_bind } for pid=12828 comm="ruby" src=1251 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1413987601.193:1489): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5438524080 a2=10 a3=0 items=0 ppid=1 pid=12828 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

Hash: ruby,passenger_t,unreserved_port_t,udp_socket,name_bind


Related issues

Related to SELinux - Bug #5981: Passenger opens up udp portClosed2014-05-29

Associated revisions

Revision d35fadaa (diff)
Added by Lukas Zapletal over 4 years ago

Fixes #8030 - allow UDP port binds for ruby net package

History

#1 Updated by Dominic Cleal over 4 years ago

  • Subject changed from SELINUX to Permission denied - bind(2) on DNS lookup when creating a host

#2 Updated by Lukas Zapletal over 4 years ago

Thanks for the report, nicely done!

To be honest, I was struggling with similar non-fatal bug in passenger for an year now on RHEL6. Not sure why the ruby stacktrace was shown only on CentOS7, but it leads to this particular bit in Ruby runtime:

https://github.com/ruby/ruby/blob/trunk/lib/resolv.rb#L651-L660

It looks like we might need to allow this to get this working. I asked on the Fedora SELinux list for an assistance what is the best practice in this case.

#3 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/39 added
  • Pull request deleted ()

#4 Updated by Dominic Cleal over 4 years ago

  • Legacy Backlogs Release (now unused) set to 29

#5 Updated by Anonymous over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Lukas Zapletal over 3 years ago

  • Related to Bug #5981: Passenger opens up udp port added

Also available in: Atom PDF