Problem:
Ruby cannot write to the foreman directory, as the selinux policy prevents it.
A selinux alert is generated.
Foreman still runs without observeable problems.
Expected outcome:
The selinux policy contains all relevant data.
Foreman and Proxy versions:
1.22.1 on Rhel7.6 latest
Foreman and Proxy plugin versions:
Other relevant data:
sealert -a /var/log/audit/audit.log
SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from write access on the directory foreman.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow ruby to have write access on the foreman directory
Then you need to change the label on foreman
Do
# semanage fcontext -a -t FILE_TYPE 'foreman'
where FILE_TYPE is one of the following: cert_t, foreman_lib_t, foreman_var_run_t, httpd_tmp_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, puppet_log_t, puppet_var_lib_t, tmp_t, var_log_t, var_run_t.
Then execute:
restorecon -v 'foreman'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that ruby should be allowed write access on the foreman directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ruby' --raw | audit2allow -M my-ruby
# semodule -i my-ruby.pp
Additional Information:
Source Context system_u:system_r:passenger_t:s0
Target Context system_u:object_r:usr_t:s0
Target Objects foreman [ dir ]
Source ruby
Source Path /opt/rh/rh-ruby25/root/usr/bin/ruby
Port <Unknown>
Host <Unknown>
Source RPM Packages rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.15.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name foreman1.3ve.bmlv.at
Platform Linux foreman1.3ve.bmlv.at
3.10.0-957.27.2.el7.x86_64 #1 SMP Tue Jul 9
16:53:14 UTC 2019 x86_64 x86_64
Alert Count 192
First Seen 2019-09-11 05:28:51 CEST
Last Seen 2019-09-11 08:39:58 CEST
Local ID b04d620e-4e07-42dc-8d67-1a4eed196ef2
Raw Audit Messages
type=AVC msg=audit(1568183998.690:2070): avc: denied { write } for pid=20729 comm="ruby" name="foreman" dev="dm-0" ino=2101647 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1568183998.690:2070): arch=x86_64 syscall=access success=yes exit=0 a0=39ec3c8 a1=2 a2=7ffeb69b9f60 a3=1 items=0 ppid=20728 pid=20729 auid=4294967295 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm=ruby e
xe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
Hash: ruby,passenger_t,usr_t,dir,write