foreman-nightly-rpm-pipeline 946 failed

Foreman RPM nightly pipeline failed:

https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/946/

foreman-pipeline-foreman-nightly-centos7-install (failed)
foreman-pipeline-foreman-nightly-centos8-install (failed)
foreman-pipeline-foreman-nightly-centos7-upgrade (failed)
foreman-pipeline-foreman-nightly-centos8-upgrade (failed)

1..1
not ok 1 ensure no SELinux denials
# (in test file fb-verify-selinux.bats, line 12)
#   `[ "${status}" -eq 1 ]' failed
# ----
# time->Wed Feb 17 22:13:24 2021
# type=PROCTITLE msg=audit(1613600004.938:2167): proctitle=72756279002F7573722F73686172652F666F72656D616E2F62696E2F7261696C7300736572766572002D2D656E7669726F6E6D656E740070726F64756374696F6E
# type=SYSCALL msg=audit(1613600004.938:2167): arch=c000003e syscall=83 success=no exit=-13 a0=4a60f20 a1=1ff a2=1d6ef30 a3=7ffcf4c8f160 items=0 ppid=1 pid=12564 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600004.938:2167): avc:  denied  { write } for  pid=12564 comm="ruby" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:13:24 2021
# type=PROCTITLE msg=audit(1613600004.938:2168): proctitle=72756279002F7573722F73686172652F666F72656D616E2F62696E2F7261696C7300736572766572002D2D656E7669726F6E6D656E740070726F64756374696F6E
# type=SYSCALL msg=audit(1613600004.938:2168): arch=c000003e syscall=83 success=no exit=-13 a0=4a60f20 a1=1ff a2=1d6ef30 a3=7ffcf4c8ef20 items=0 ppid=1 pid=12564 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600004.938:2168): avc:  denied  { write } for  pid=12564 comm="ruby" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:22 2021
# type=PROCTITLE msg=audit(1613600062.834:2174): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600062.834:2174): arch=c000003e syscall=83 success=no exit=-13 a0=41ec610 a1=1ff a2=2237f30 a3=7ffee26be020 items=0 ppid=1 pid=12912 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600062.834:2174): avc:  denied  { write } for  pid=12912 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:22 2021
# type=PROCTITLE msg=audit(1613600062.834:2175): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600062.834:2175): arch=c000003e syscall=83 success=no exit=-13 a0=41ec610 a1=1ff a2=2237f30 a3=7ffee26bdde0 items=0 ppid=1 pid=12912 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600062.834:2175): avc:  denied  { write } for  pid=12912 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:47 2021
# type=PROCTITLE msg=audit(1613600087.785:2177): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600087.785:2177): arch=c000003e syscall=83 success=no exit=-13 a0=3ce4830 a1=1ff a2=199cf30 a3=7ffe6a74e460 items=0 ppid=1 pid=13017 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600087.785:2177): avc:  denied  { write } for  pid=13017 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:47 2021
# type=PROCTITLE msg=audit(1613600087.785:2178): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600087.785:2178): arch=c000003e syscall=83 success=no exit=-13 a0=3ce4830 a1=1ff a2=199cf30 a3=7ffe6a74e200 items=0 ppid=1 pid=13017 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600087.785:2178): avc:  denied  { write } for  pid=13017 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0

This is due to:

In other words, probably something that played a role for a longer time but we never tested for. It was the result of a discussion between @evgeni, @ehelms and me.

FWIW, those are present directly after installation, without any tests have run.

# find / -context \*:rpm_script_tmp_t:s\* -name home
/tmp/bundler/home

I don’t know what /tmp/bundler is or why it tries to write there, tho…

It is present on other installs after a reboot too:

# ls /tmp/bundler/home/ -alhZ
drwxrwxrwx. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 .
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 ..
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 foreman
drwxr-xr-x. foreman-proxy foreman-proxy system_u:object_r:system_cronjob_tmp_t:s0 foreman-proxy
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 root

But now a different label…

Which brings me to

And that again brings me to

Which indicates that bundle exec … creates those dirs, but they are actually not really needed…

Oh, and there is an CVE for that by lzap :

https://bugzilla.redhat.com/show_bug.cgi?id=1651826

but it seems it remains unfixed in rh-ruby25 SCL and EL8

I think the following would silence the denial

@lzap what do you think?

and just to close out the circle, Ewoud has disabled the check for now, so that it won’t affect pipelines and we can work on the solution:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.