Project

General

Profile

Actions

Bug #8030

closed

Permission denied - bind(2) on DNS lookup when creating a host

Added by Dwight Beaver about 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

I stood up an instance of Foreman on a centOS7 machine following the instructions at: http://www.theforeman.org/manuals/1.6/index.html#2.Quickstart

Everytime I try to add a new host I get the following error:

Warning!
Permission denied - bind(2)

Stack Trace
------------------------
Errno::EACCES
Permission denied - bind(2)
lib/net/dns.rb:17:in `block in lookup'
lib/net/dns.rb:15:in `lookup'
lib/net/dns.rb:62:in `dns_lookup'
lib/net/dns/ptr_record.rb:27:in `conflicts'
lib/net.rb:24:in `conflicting?'
app/models/concerns/orchestration/dns.rb:122:in `dns_conflict_detected?'
app/models/concerns/orchestration.rb:47:in `valid?'
app/models/concerns/foreman/sti.rb:29:in `save_with_type'
app/controllers/hosts_controller.rb:90:in `create'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

I think this is an SELinux policy issue. When I disabled SELinux, the error went away. From sealert:

found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /opt/rh/ruby193/root/usr/bin/ruby from name_bind access on the udp_socket .

  • Plugin bind_ports (92.2 confidence) suggests ****************
If you want to allow /opt/rh/ruby193/root/usr/bin/ruby to bind to network port 1251
Then you need to modify the port type.
Do
  1. semanage port -a -t -p udp 1251
  • Plugin catchall_boolean (7.83 confidence) suggests **********

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

  • Plugin catchall_boolean (7.83 confidence) suggests **********

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

  • Plugin catchall (1.41 confidence) suggests ******************
If you believe that ruby should be allowed name_bind access on the udp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
  1. grep ruby /var/log/audit/audit.log | audit2allow -M mypol
  2. semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:passenger_t:s0
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ udp_socket ]
Source ruby
Source Path /opt/rh/ruby193/root/usr/bin/ruby
Port 1251
Host <Unknown>
Source RPM Packages ruby193-ruby-1.9.3.484-49.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name foreman.test.dte.cert.org
Platform Linux foreman.test.dte.cert.org
3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22
UTC 2014 x86_64 x86_64
Alert Count 9
First Seen 2014-10-21 18:18:10 EDT
Last Seen 2014-10-22 10:20:01 EDT
Local ID 7eb1cafc-e517-41e3-892c-91c94c2c0790

Raw Audit Messages
type=AVC msg=audit(1413987601.193:1489): avc: denied { name_bind } for pid=12828 comm="ruby" src=1251 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket

type=SYSCALL msg=audit(1413987601.193:1489): arch=x86_64 syscall=bind success=no exit=EACCES a0=b a1=7f5438524080 a2=10 a3=0 items=0 ppid=1 pid=12828 auid=4294967295 uid=997 gid=995 euid=997 suid=997 fsuid=997 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

Hash: ruby,passenger_t,unreserved_port_t,udp_socket,name_bind


Related issues 2 (1 open1 closed)

Related to SELinux - Bug #5981: Passenger opens up udp portClosedLukas Zapletal05/29/2014Actions
Related to SELinux - Bug #30849: Cleanup DNS rulesNewLukas ZapletalActions
Actions

Also available in: Atom PDF