Running on latest CentOS 6.4, with the selinux package, I'm getting many
type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
[root@foreman ~]# rpm -qa |grep fore
lzap
July 15, 2013, 9:41am
2
Hey,
reported Bug #2789: SELinux denials in 1.2 - SELinux - Foreman thanks
LZ
···
On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
> Running on latest CentOS 6.4, with the selinux package, I'm getting many
> denials:
>
> type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
> pid=1303 comm="ruby"
> name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> ino=792378 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.320:18): avc: denied { rename } for
> pid=1303 comm="ruby"
> name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> ino=792378 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.320:18): avc: denied { unlink } for
> pid=1303 comm="ruby" name="foreman.xiolab.lab.abc.com.yaml" dev=dm-0
> ino=792350 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.949:19): avc: denied { getattr } for
> pid=1303 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.949:20): avc: denied { execute } for
> pid=1303 comm="ruby" name="ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:21): avc: denied { read open } for
> pid=1416 comm="sh" name="ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:21): avc: denied { execute_no_trans }
> for pid=1416 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:22): avc: denied { read } for pid=1416
> comm="ifconfig" name="unix" dev=proc ino=4026532007
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816913.954:23): avc: denied { search } for
> pid=1416 comm="ifconfig" scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
> type=AVC msg=audit(1373816913.954:24): avc: denied { open } for pid=1416
> comm="ifconfig" name="dev" dev=proc ino=4026531979
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816913.954:25): avc: denied { getattr } for
> pid=1416 comm="ifconfig" path="/proc/1416/net/dev" dev=proc ino=4026531979
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816914.351:26): avc: denied { sys_tty_config } for
> pid=1423 comm="rm" capability=26
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:system_r:passenger_t:s0 tclass=capability
> type=AVC msg=audit(1373816974.509:44): avc: denied { getattr } for
> pid=1303 comm="ruby"
> path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
> dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373817034.643:45): avc: denied { name_bind } for
> pid=1303 comm="ruby" src=17117 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>
>
> [root@foreman ~]# rpm -qa |grep fore
> foreman-release-1.2.0-1.el6.noarch
> foreman-proxy-1.2.0-1.el6.noarch
> foreman-1.2.0-1.el6.noarch
> foreman-selinux-1.2.0-1.el6.noarch
> ruby193-rubygem-foremancli-1.0-4.el6.noarch
> foreman-installer-1.2.0-1.el6.noarch
> foreman-postgresql-1.2.0-1.el6.noarch
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
–
Lukas “lzap” Zapletal#theforeman
lzap
July 19, 2013, 2:36pm
3
Yaniv,
I am unable to reproduce these denials. Can you tell me more about what
Best would be to tail the audit.log and then redeploy policy (semodule
Thanks
···
On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
> Running on latest CentOS 6.4, with the selinux package, I'm getting many
> denials:
>
> type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
> pid=1303 comm="ruby"
> name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> ino=792378 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.320:18): avc: denied { rename } for
> pid=1303 comm="ruby"
> name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> ino=792378 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.320:18): avc: denied { unlink } for
> pid=1303 comm="ruby" name="foreman.xiolab.lab.abc.com.yaml" dev=dm-0
> ino=792350 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373816913.949:19): avc: denied { getattr } for
> pid=1303 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.949:20): avc: denied { execute } for
> pid=1303 comm="ruby" name="ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:21): avc: denied { read open } for
> pid=1416 comm="sh" name="ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:21): avc: denied { execute_no_trans }
> for pid=1416 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=44
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> type=AVC msg=audit(1373816913.953:22): avc: denied { read } for pid=1416
> comm="ifconfig" name="unix" dev=proc ino=4026532007
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816913.954:23): avc: denied { search } for
> pid=1416 comm="ifconfig" scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
> type=AVC msg=audit(1373816913.954:24): avc: denied { open } for pid=1416
> comm="ifconfig" name="dev" dev=proc ino=4026531979
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816913.954:25): avc: denied { getattr } for
> pid=1416 comm="ifconfig" path="/proc/1416/net/dev" dev=proc ino=4026531979
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> type=AVC msg=audit(1373816914.351:26): avc: denied { sys_tty_config } for
> pid=1423 comm="rm" capability=26
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:system_r:passenger_t:s0 tclass=capability
> type=AVC msg=audit(1373816974.509:44): avc: denied { getattr } for
> pid=1303 comm="ruby"
> path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
> dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373817034.643:45): avc: denied { name_bind } for
> pid=1303 comm="ruby" src=17117 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>
>
> [root@foreman ~]# rpm -qa |grep fore
> foreman-release-1.2.0-1.el6.noarch
> foreman-proxy-1.2.0-1.el6.noarch
> foreman-1.2.0-1.el6.noarch
> foreman-selinux-1.2.0-1.el6.noarch
> ruby193-rubygem-foremancli-1.0-4.el6.noarch
> foreman-installer-1.2.0-1.el6.noarch
> foreman-postgresql-1.2.0-1.el6.noarch
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
–
Lukas “lzap” Zapletal#theforeman
I've since disabled selinux (via a puppet module, at least). I'll try to
···
On Friday, July 19, 2013 5:36:49 PM UTC+3, Lukas Zapletal wrote:
Yaniv,
I am unable to reproduce these denials. Can you tell me more about what
Best would be to tail the audit.log and then redeploy policy (semodule
Thanks
On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
Running on latest CentOS 6.4, with the selinux package, I’m getting many
type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
[root@foreman ~]# rpm -qa |grep fore
–foreman-user...@googlegroups.com <javascript:>.forema...@googlegroups.com <javascript:>.
Visit this group at http://groups.google.com/group/foreman-users .https://groups.google.com/groups/opt_out .
–
Lukas “lzap” Zapletal#theforeman
type=AVC msg=audit(1375082822.806:4594): avc: denied { execute } for
Result of 'service foreman restart'.
···
On Sunday, July 21, 2013 1:19:17 PM UTC+3, Yaniv Kaul wrote:
>
> On Friday, July 19, 2013 5:36:49 PM UTC+3, Lukas Zapletal wrote:
>
>> Yaniv,
>>
>> I am unable to reproduce these denials. Can you tell me more about what
>> were you doing when seeing these denials?
>>
>> Best would be to tail the audit.log and then redeploy policy (semodule
>> -B) and then identify the steps required to see those.
>>
>> Thanks
>>
>> On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
>> > Running on latest CentOS 6.4, with the selinux package, I'm getting
>> many
>> > denials:
>> >
>> > type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
>> > pid=1303 comm="ruby"
>> > name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
>> > ino=792378 scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.320:18): avc: denied { rename } for
>> > pid=1303 comm="ruby"
>> > name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
>> > ino=792378 scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.320:18): avc: denied { unlink } for
>> > pid=1303 comm="ruby" name="foreman.xiolab.lab.abc.com.yaml" dev=dm-0
>> > ino=792350 scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.949:19): avc: denied { getattr } for
>> > pid=1303 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=44
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.949:20): avc: denied { execute } for
>> > pid=1303 comm="ruby" name="ifconfig" dev=dm-0 ino=44
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.953:21): avc: denied { read open } for
>> > pid=1416 comm="sh" name="ifconfig" dev=dm-0 ino=44
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.953:21): avc: denied { execute_no_trans
>> }
>> > for pid=1416 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=44
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.953:22): avc: denied { read } for
>> pid=1416
>> > comm="ifconfig" name="unix" dev=proc ino=4026532007
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.954:23): avc: denied { search } for
>> > pid=1416 comm="ifconfig" scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
>> > type=AVC msg=audit(1373816913.954:24): avc: denied { open } for
>> pid=1416
>> > comm="ifconfig" name="dev" dev=proc ino=4026531979
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>> > type=AVC msg=audit(1373816913.954:25): avc: denied { getattr } for
>> > pid=1416 comm="ifconfig" path="/proc/1416/net/dev" dev=proc
>> ino=4026531979
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
>> > type=AVC msg=audit(1373816914.351:26): avc: denied { sys_tty_config }
>> for
>> > pid=1423 comm="rm" capability=26
>> > scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:system_r:passenger_t:s0 tclass=capability
>> > type=AVC msg=audit(1373816974.509:44): avc: denied { getattr } for
>> > pid=1303 comm="ruby"
>> >
>> path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
>>
>> > dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
>> > type=AVC msg=audit(1373817034.643:45): avc: denied { name_bind } for
>> > pid=1303 comm="ruby" src=17117
>> scontext=system_u:system_r:passenger_t:s0
>> > tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
>> >
>> >
>> > [root@foreman ~]# rpm -qa |grep fore
>> > foreman-release-1.2.0-1.el6.noarch
>> > foreman-proxy-1.2.0-1.el6.noarch
>> > foreman-1.2.0-1.el6.noarch
>> > foreman-selinux-1.2.0-1.el6.noarch
>> > ruby193-rubygem-foremancli-1.0-4.el6.noarch
>> > foreman-installer-1.2.0-1.el6.noarch
>> > foreman-postgresql-1.2.0-1.el6.noarch
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Foreman users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to foreman-user...@googlegroups.com.
>> > To post to this group, send email to forema...@googlegroups.com.
>> > Visit this group at http://groups.google.com/group/foreman-users.
>> > For more options, visit https://groups.google.com/groups/opt_out.
>> >
>> >
>>
>> --
>> Later,
>>
>> Lukas "lzap" Zapletal
>> irc: lzap #theforeman
>>
>
> I've since disabled selinux (via a puppet module, at least). I'll try to
> move to permissive and see what I can do.
> Y.
>
>
lzap
July 30, 2013, 10:13am
6
Yaniv,
are you running Puppet under mod_passenger as well?
I don't think these denials are foreman's. Restarting foreman =
LZ
···
On Mon, Jul 29, 2013 at 12:28:35AM -0700, Yaniv Kaul wrote:
> type=AVC msg=audit(1375082822.806:4594): avc: denied { execute } for
> pid=7323 comm="ruby" name="node.rb" dev=dm-0 ino=268265
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
> type=AVC msg=audit(1375082822.806:4594): avc: denied { execute_no_trans }
> for pid=7323 comm="ruby" path="/etc/puppet/node.rb" dev=dm-0 ino=268265
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1375082822.806:4594): arch=c000003e syscall=59
> success=yes exit=0 a0=4d655b0 a1=7fff023bfff0 a2=480f360 a3=7fff023bfd50
> items=0 ppid=29681 pid=7323 auid=4294967295 uid=52 gid=52 euid=52 suid=52
> fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="node.rb"
> exe="/bin/env" subj=system_u:system_r:passenger_t:s0 key=(null)
> type=AVC msg=audit(1375082832.949:4595): avc: denied { create } for
> pid=29681 comm="ruby"
> name="lg740.xiolab.lab.abc.com.yaml20130729-29681-8o0fjq-0.lock"
> scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1375082832.949:4595): arch=c000003e syscall=83
> success=yes exit=0 a0=4e04be0 a1=1ff a2=4e04c33 a3=20 items=0 ppid=1
> pid=29681 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52 egid=52
> sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby"
> subj=system_u:system_r:passenger_t:s0 key=(null)
> type=AVC msg=audit(1375082832.950:4596): avc: denied { rmdir } for
> pid=29681 comm="ruby"
> name="lg740.xiolab.lab.abc.com.yaml20130729-29681-8o0fjq-0.lock" dev=dm-0
> ino=396578 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
> type=SYSCALL msg=audit(1375082832.950:4596): arch=c000003e syscall=84
> success=yes exit=0 a0=4e04be0 a1=7fc7d61cc438 a2=4e04c33 a3=20 items=0
> ppid=1 pid=29681 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsuid=52
> egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby"
> exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
>
>
> Result of 'service foreman restart'.
>
>
> On Sunday, July 21, 2013 1:19:17 PM UTC+3, Yaniv Kaul wrote:
> >
> > On Friday, July 19, 2013 5:36:49 PM UTC+3, Lukas Zapletal wrote:
> >
> >> Yaniv,
> >>
> >> I am unable to reproduce these denials. Can you tell me more about what
> >> were you doing when seeing these denials?
> >>
> >> Best would be to tail the audit.log and then redeploy policy (semodule
> >> -B) and then identify the steps required to see those.
> >>
> >> Thanks
> >>
> >> On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
> >> > Running on latest CentOS 6.4, with the selinux package, I'm getting
> >> many
> >> > denials:
> >> >
> >> > type=AVC msg=audit(1373816913.310:17): avc: denied { setattr } for
> >> > pid=1303 comm="ruby"
> >> > name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> >> > ino=792378 scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.320:18): avc: denied { rename } for
> >> > pid=1303 comm="ruby"
> >> > name="foreman.xiolab.lab.abc.com.yaml20130714-1303-131hr6b-0" dev=dm-0
> >> > ino=792378 scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.320:18): avc: denied { unlink } for
> >> > pid=1303 comm="ruby" name="foreman.xiolab.lab.abc.com.yaml" dev=dm-0
> >> > ino=792350 scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.949:19): avc: denied { getattr } for
> >> > pid=1303 comm="ruby" path="/sbin/ifconfig" dev=dm-0 ino=44
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.949:20): avc: denied { execute } for
> >> > pid=1303 comm="ruby" name="ifconfig" dev=dm-0 ino=44
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.953:21): avc: denied { read open } for
> >> > pid=1416 comm="sh" name="ifconfig" dev=dm-0 ino=44
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.953:21): avc: denied { execute_no_trans
> >> }
> >> > for pid=1416 comm="sh" path="/sbin/ifconfig" dev=dm-0 ino=44
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.953:22): avc: denied { read } for
> >> pid=1416
> >> > comm="ifconfig" name="unix" dev=proc ino=4026532007
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.954:23): avc: denied { search } for
> >> > pid=1416 comm="ifconfig" scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
> >> > type=AVC msg=audit(1373816913.954:24): avc: denied { open } for
> >> pid=1416
> >> > comm="ifconfig" name="dev" dev=proc ino=4026531979
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816913.954:25): avc: denied { getattr } for
> >> > pid=1416 comm="ifconfig" path="/proc/1416/net/dev" dev=proc
> >> ino=4026531979
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:proc_net_t:s0 tclass=file
> >> > type=AVC msg=audit(1373816914.351:26): avc: denied { sys_tty_config }
> >> for
> >> > pid=1423 comm="rm" capability=26
> >> > scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:system_r:passenger_t:s0 tclass=capability
> >> > type=AVC msg=audit(1373816974.509:44): avc: denied { getattr } for
> >> > pid=1303 comm="ruby"
> >> >
> >> path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
> >>
> >> > dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> >> > type=AVC msg=audit(1373817034.643:45): avc: denied { name_bind } for
> >> > pid=1303 comm="ruby" src=17117
> >> scontext=system_u:system_r:passenger_t:s0
> >> > tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
> >> >
> >> >
> >> > [root@foreman ~]# rpm -qa |grep fore
> >> > foreman-release-1.2.0-1.el6.noarch
> >> > foreman-proxy-1.2.0-1.el6.noarch
> >> > foreman-1.2.0-1.el6.noarch
> >> > foreman-selinux-1.2.0-1.el6.noarch
> >> > ruby193-rubygem-foremancli-1.0-4.el6.noarch
> >> > foreman-installer-1.2.0-1.el6.noarch
> >> > foreman-postgresql-1.2.0-1.el6.noarch
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google
> >> Groups "Foreman users" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> an email to foreman-user...@googlegroups.com.
> >> > To post to this group, send email to forema...@googlegroups.com.
> >> > Visit this group at http://groups.google.com/group/foreman-users.
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >> >
> >> >
> >>
> >> --
> >> Later,
> >>
> >> Lukas "lzap" Zapletal
> >> irc: lzap #theforeman
> >>
> >
> > I've since disabled selinux (via a puppet module, at least). I'll try to
> > move to permissive and see what I can do.
> > Y.
> >
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
–
Lukas “lzap” Zapletal#theforeman
> Yaniv,
I believe so. I'm running it in whatever way it was set up by the foreman
···
On Tuesday, July 30, 2013 1:13:43 PM UTC+3, Lukas Zapletal wrote:
I don’t think these denials are foreman’s. Restarting foreman =
LZ
On Mon, Jul 29, 2013 at 12:28:35AM -0700, Yaniv Kaul wrote:
type=AVC msg=audit(1375082822.806:4594): avc: denied { execute } for
Result of ‘service foreman restart’.
On Sunday, July 21, 2013 1:19:17 PM UTC+3, Yaniv Kaul wrote:
On Friday, July 19, 2013 5:36:49 PM UTC+3, Lukas Zapletal wrote:
Yaniv,
I am unable to reproduce these denials. Can you tell me more about
were you doing when seeing these denials?
Best would be to tail the audit.log and then redeploy policy
-B) and then identify the steps required to see those.
Thanks
On Sun, Jul 14, 2013 at 08:53:32AM -0700, Yaniv Kaul wrote:
Running on latest CentOS 6.4, with the selinux package, I’m getting
type=AVC msg=audit(1373816913.310:17): avc: denied { setattr }
pid=1303 comm="ruby"
ino=792378 scontext=system_u:system_r:passenger_t:s0
ino=792378 scontext=system_u:system_r:passenger_t:s0
ino=792350 scontext=system_u:system_r:passenger_t:s0
pid=1303 comm=“ruby” path="/sbin/ifconfig" dev=dm-0 ino=44
pid=1303 comm=“ruby” name=“ifconfig” dev=dm-0 ino=44
pid=1416 comm=“sh” name=“ifconfig” dev=dm-0 ino=44
}
for pid=1416 comm=“sh” path="/sbin/ifconfig" dev=dm-0 ino=44
pid=1416 comm=“ifconfig” path="/proc/1416/net/dev" dev=proc
for
pid=1423 comm=“rm” capability=26
pid=1303 comm=“ruby”
path="/opt/rh/ruby193/root/usr/var/lib/puppet/.puppet/ssl/certs/foreman.xiolab.lab.abc.com.pem"
dev=dm-0 ino=792301 scontext=system_u:system_r:passenger_t:s0
pid=1303 comm=“ruby” src=17117
[root@foreman ~]# rpm -qa |grep fore
–
an email to foreman-user...@googlegroups.com .
To post to this group, send email to forema...@googlegroups.com .http://groups.google.com/group/foreman-users .https://groups.google.com/groups/opt_out .
–
Lukas “lzap” Zapletal#theforeman
I’ve since disabled selinux (via a puppet module, at least). I’ll try
move to permissive and see what I can do.
–foreman-user...@googlegroups.com <javascript:>.forema...@googlegroups.com <javascript:>.
Visit this group at http://groups.google.com/group/foreman-users .https://groups.google.com/groups/opt_out .
–
Lukas “lzap” Zapletal#theforeman
lzap
August 1, 2013, 3:04pm
8
> I believe so. I'm running it in whatever way it was set up by the foreman
There are couple of fixes coming into the selinux-policy the next days
···
On Thu, Aug 01, 2013 at 07:34:03AM -0700, Yaniv Kaul wrote:
On Mon, Jul 29, 2013 at 12:28:35AM -0700, Yaniv Kaul wrote:
type=AVC msg=audit(1375082822.806:4594): avc: denied { execute } for
Lukas “lzap” Zapletal#theforeman
