Bug #9972
closedforeman_openscap don't work with SELinux in enforcing mode
Description
Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.
foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)
type=AVC msg=audit(1427808795.006:1501): avc: denied { execmem } for pid=825 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process type=SYSCALL msg=audit(1427808795.006:1501): arch=c000003e syscall=10 success=no exit=-13 a0=7ffd5b3ac000 a1=1000 a2=5 a3=7fffb96072f0 items=0 ppid=822 pid=825 auid=4294967295 uid=995 gid=992 euid=995 suid=995 fsuid=995 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
Updated by Lukas Zapletal over 9 years ago
This is due to assets not being precompiled. Google V8 engine is broken doing weird things like execmem which we do not allow for security reasons.
http://projects.theforeman.org/projects/foreman/wiki/How_to_Create_a_Plugin#Generating-plugin-assets
Updated by Shlomi Zadok over 9 years ago
- Pull request https://github.com/OpenSCAP/scaptimony/pull/23 added
- Pull request deleted (
)
foreman_openscap assets:precompile are called here: https://github.com/OpenSCAP/foreman_openscap/blob/master/lib/foreman_openscap/engine.rb#L19
I suspect that the Scaptimony assets are never asked to precompile and opened a PR to remove them: https://github.com/OpenSCAP/scaptimony/pull/23
Updated by Lukas Zapletal over 9 years ago
Assets are not the problem, sorry.
Library libffi has this special check if SELinux is enabled (https://github.com/ffi/ffi/blob/master/ext/ffi_c/libffi/src/closures.c#L133-L164) and if it is, it prevents from EXECMEM (http://www.akkadia.org/drepper/selinux-mem.html). The ruby ffi gem was provided from Simons package, please check if the library is built against the correct libffi. I can't tell, but obviously something is mounting mmap incorrectly and I suspect this is it.
Updated by Lukas Zapletal over 9 years ago
It looks like both libffi in EPEL7 and Simon's library (linked to system libffi) contain the selinux check function:
[root@hp-nehalem-01 ~]# strings /usr/lib64/libffi.so.6.0.1 | grep selinux /selinux selinuxfs [root@hp-nehalem-01 ~]# ldd /opt/rh/ruby193/root/usr/lib64/gems/exts/ffi-1.9.3/lib/ffi_c.so linux-vdso.so.1 => (0x00007fff3c3fe000) libruby.so.1.9 => not found libffi.so.6 => /lib64/libffi.so.6 (0x00007f8184d0d000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f8184af1000) librt.so.1 => /lib64/librt.so.1 (0x00007f81848e9000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f81846e4000) libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f81844ad000) libm.so.6 => /lib64/libm.so.6 (0x00007f81841ab000) libc.so.6 => /lib64/libc.so.6 (0x00007f8183de9000) /lib64/ld-linux-x86-64.so.2 (0x00007f8185141000) libfreebl3.so => /lib64/libfreebl3.so (0x00007f8183be6000)
I just realized that openscap library does use mmap too, that might be problem. You should implement the similar workaround for SELinux there.
WORKAROUND FOR USERS: Set allow_execmem SELinux boolean.
Updated by Šimon Lukašík over 9 years ago
- Target version deleted (
0.4.0) - Pull request added
- Pull request deleted (
https://github.com/OpenSCAP/scaptimony/pull/23)
I cannot confirm this bug is related to libopenscap.
Here is the narrow reproducer:
require 'ffi'
module LibC
extend FFI::Library
ffi_lib FFI::Library::LIBC
attach_function :free, [:pointer], :void
end
If you run this in any domain (which has execmen not allowed/dontaduted) you will see avc denial similar to the upper mentioned.
Updated by Eduardo Hernacki almost 9 years ago
Baptiste Agasse wrote:
Katello 2.2 + foreman 1.8RC2 + foreman_openscap (ruby193-rubygem-openscap.noarch 0.4.2-2.el7) on CentOS 7.
foreman didn't start when foreman_openscap plugin is installed with SELinux in enforcing mode (selinux-policy.noarch 3.12.1-153.el7_0.13, katello-selinux.noarch 2.2.1-1.el7, foreman-selinux.noarch 1.8.0-0.1.RC2.el7)
[...]
I'm still having the same issue with Foreman 1.10. My setup is:
CentOS 7.2 + katello-2.4.0-7.el7.noarch + foreman-1.10.0-1.el7.noarch + tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch
I noted the problems began when I installed tfm-rubygem-foreman_openscap-0.4.3-2.fm1_10.el7.noarch, and I'm getting HTTP 500 error in Apache.
My audit.log shows the following when I'm trying to access Foreman's portal:
type=AVC msg=audit(1452956110.816:19612): avc: denied { execmem } for pid=32580 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.088:19613): avc: denied { execmem } for pid=32566 comm="ruby" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:system_r:passenger_t:s0 tclass=process
type=AVC msg=audit(1452956111.383:19614): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/hugepages" dev="hugetlbfs" ino=11860 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19615): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.383:19616): avc: denied { search } for pid=32644 comm="lsof" name="fs" dev="proc" ino=1517 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19617): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/systemd" dev="cgroup" ino=1151 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19618): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpu,cpuacct" dev="cgroup" ino=1177 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19619): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/blkio" dev="cgroup" ino=1197 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19620): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/memory" dev="cgroup" ino=1233 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19621): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/net_cls" dev="cgroup" ino=1268 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19622): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/devices" dev="cgroup" ino=1278 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19623): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/hugetlb" dev="cgroup" ino=1290 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.384:19624): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/perf_event" dev="cgroup" ino=1303 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19625): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/cpuset" dev="cgroup" ino=1312 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19626): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/cgroup/freezer" dev="cgroup" ino=1333 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19627): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/fs/pstore" dev="pstore" ino=1159 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:pstore_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19628): avc: denied { getattr } for pid=32644 comm="lsof" path="/sys/kernel/config" dev="configfs" ino=1832 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir
type=AVC msg=audit(1452956111.385:19629): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.385:19630): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/sda1" dev="devtmpfs" ino=7884 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19631): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-0" dev="devtmpfs" ino=7985 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.386:19632): avc: denied { getattr } for pid=32644 comm="lsof" path="/dev/dm-2" dev="devtmpfs" ino=12635 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file
type=AVC msg=audit(1452956111.391:19633): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/private" dev="tmpfs" ino=10790 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19634): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmpolld.socket" dev="tmpfs" ino=10814 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19635): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/NetworkManager/private" dev="tmpfs" ino=15680 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19636): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/shutdownd" dev="tmpfs" ino=10834 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19637): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/systemd/notify" dev="tmpfs" ino=1379 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19638): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/lvm/lvmetad.socket" dev="tmpfs" ino=10898 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:lvm_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19639): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/udev/control" dev="tmpfs" ino=10919 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19640): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19641): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/wsgi.27654.0.1.sock" dev="tmpfs" ino=986600 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19642): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19643): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19644): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19645): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19646): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19647): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19648): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1452956111.391:19649): avc: denied { getattr } for pid=32642 comm="lsof" path="/run/dbus/system_bus_socket" dev="tmpfs" ino=14001 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
Updated by Ondřej Pražák almost 3 years ago
- Status changed from New to Closed
Foreman 1.10 is no longer supported and the same issue has not been reported for the latest releases, therefore closing. Feel free to reopen if it appears again.