Bug #8030
closed
Permission denied - bind(2) on DNS lookup when creating a host
Description
I stood up an instance of Foreman on a centOS7 machine following the instructions at: http://www.theforeman.org/manuals/1.6/index.html#2.Quickstart
Everytime I try to add a new host I get the following error:
Warning!
Permission denied - bind(2)
Stack Trace
------------------------
Errno::EACCES
Permission denied - bind(2)
lib/net/dns.rb:17:in `block in lookup'
lib/net/dns.rb:15:in `lookup'
lib/net/dns.rb:62:in `dns_lookup'
lib/net/dns/ptr_record.rb:27:in `conflicts'
lib/net.rb:24:in `conflicting?'
app/models/concerns/orchestration/dns.rb:122:in `dns_conflict_detected?'
app/models/concerns/orchestration.rb:47:in `valid?'
app/models/concerns/foreman/sti.rb:29:in `save_with_type'
app/controllers/hosts_controller.rb:90:in `create'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'
I think this is an SELinux policy issue. When I disabled SELinux, the error went away. From sealert:
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /opt/rh/ruby193/root/usr/bin/ruby from name_bind access on the udp_socket .
- Plugin bind_ports (92.2 confidence) suggests ****************
Then you need to modify the port type.
Do
- semanage port -a -t -p udp 1251
- Plugin catchall_boolean (7.83 confidence) suggests **********
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
- Plugin catchall_boolean (7.83 confidence) suggests **********
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
- Plugin catchall (1.41 confidence) suggests ******************
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
- grep ruby /var/log/audit/audit.log | audit2allow -M mypol
- semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:passenger_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ udp_socket ]
Source ruby
Source Path /opt/rh/ruby193/root/usr/bin/ruby
Port 1251
Host <Unknown>
Source RPM Packages ruby193-ruby-1.9.3.484-49.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name foreman.test.dte.cert.org
Platform Linux foreman.test.dte.cert.org
3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22
UTC 2014 x86_64 x86_64
Alert Count 9
First Seen 2014-10-21 18:18:10 EDT
Last Seen 2014-10-22 10:20:01 EDT
Local ID 7eb1cafc-e517-41e3-892c-91c94c2c0790
Raw Audit Messages
type=AVC msg=audit(1413987601.193:1489): avc: denied { name_bind } for pid=12828 comm="ruby" src=1251 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1413987601.193:1489): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5438524080 a2=10 a3=0 items=0 ppid=1 pid=12828 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
Hash: ruby,passenger_t,unreserved_port_t,udp_socket,name_bind
Updated by 
Updated by 
Updated by 
Updated by Anonymous