Foreman 1.22.1: Selinux Alert in /var/log/audit/audit.log

Problem:
Ruby cannot write to the foreman directory, as the selinux policy prevents it.
A selinux alert is generated.

Foreman still runs without observeable problems.

Expected outcome:
The selinux policy contains all relevant data.

Foreman and Proxy versions:
1.22.1 on Rhel7.6 latest

Foreman and Proxy plugin versions:

Other relevant data:

sealert -a /var/log/audit/audit.log

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from write access on the directory foreman.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow ruby to have write access on the foreman directory
Then you need to change the label on foreman
Do
# semanage fcontext -a -t FILE_TYPE 'foreman'
where FILE_TYPE is one of the following: cert_t, foreman_lib_t, foreman_var_run_t, httpd_tmp_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, puppet_log_t, puppet_var_lib_t, tmp_t, var_log_t, var_run_t.
Then execute:
restorecon -v 'foreman'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that ruby should be allowed write access on the foreman directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ruby' --raw | audit2allow -M my-ruby
# semodule -i my-ruby.pp

Additional Information:
Source Context                system_u:system_r:passenger_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                foreman [ dir ]
Source                        ruby
Source Path                   /opt/rh/rh-ruby25/root/usr/bin/ruby
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           rh-ruby25-ruby-2.5.5-7.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.15.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     foreman1.3ve.bmlv.at

Platform                      Linux foreman1.3ve.bmlv.at
                              3.10.0-957.27.2.el7.x86_64 #1 SMP Tue Jul 9
                              16:53:14 UTC 2019 x86_64 x86_64
Alert Count                   192
First Seen                    2019-09-11 05:28:51 CEST
Last Seen                     2019-09-11 08:39:58 CEST
Local ID                      b04d620e-4e07-42dc-8d67-1a4eed196ef2

Raw Audit Messages
type=AVC msg=audit(1568183998.690:2070): avc:  denied  { write } for  pid=20729 comm="ruby" name="foreman" dev="dm-0" ino=2101647 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1568183998.690:2070): arch=x86_64 syscall=access success=yes exit=0 a0=39ec3c8 a1=2 a2=7ffeb69b9f60 a3=1 items=0 ppid=20728 pid=20729 auid=4294967295 uid=496 gid=496 euid=496 suid=496 fsuid=496 egid=496 sgid=496 fsgid=496 tty=(none) ses=4294967295 comm=ruby e
xe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

Hash: ruby,passenger_t,usr_t,dir,write

Passenger does terrible things during launch, it calls gcc and compiles some plugins/extensions. We do not allow that, it is operating normally without these. I was trying to catch up with the changes for some time but I dropped the ball.

If you want, feel free to investigate and send us a patch into foreman-selinux policy. Long term, we would like to switch to puma.

If these alerts can be safely ignored, I will happily do so. Going away from passenger may notbe the worst idead though.

I can tell stories. It served well, but it’s quite complicated. FYI it compiles some plugin that speeds up things, RPM packages should ship binaries but they mess around with paths all the time so it gets outdated and it tries to recompile it.

Well, compilers on production servers = cracker’s dream.