foreman-nightly-rpm-pipeline 946 failed

jenkins · February 17, 2021, 10:37pm

Foreman RPM nightly pipeline failed:

https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/946/

foreman-pipeline-foreman-nightly-centos7-install (failed)
foreman-pipeline-foreman-nightly-centos8-install (failed)
foreman-pipeline-foreman-nightly-centos7-upgrade (failed)
foreman-pipeline-foreman-nightly-centos8-upgrade (failed)

ekohl · February 18, 2021, 12:28am

1..1
not ok 1 ensure no SELinux denials
# (in test file fb-verify-selinux.bats, line 12)
#   `[ "${status}" -eq 1 ]' failed
# ----
# time->Wed Feb 17 22:13:24 2021
# type=PROCTITLE msg=audit(1613600004.938:2167): proctitle=72756279002F7573722F73686172652F666F72656D616E2F62696E2F7261696C7300736572766572002D2D656E7669726F6E6D656E740070726F64756374696F6E
# type=SYSCALL msg=audit(1613600004.938:2167): arch=c000003e syscall=83 success=no exit=-13 a0=4a60f20 a1=1ff a2=1d6ef30 a3=7ffcf4c8f160 items=0 ppid=1 pid=12564 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600004.938:2167): avc:  denied  { write } for  pid=12564 comm="ruby" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:13:24 2021
# type=PROCTITLE msg=audit(1613600004.938:2168): proctitle=72756279002F7573722F73686172652F666F72656D616E2F62696E2F7261696C7300736572766572002D2D656E7669726F6E6D656E740070726F64756374696F6E
# type=SYSCALL msg=audit(1613600004.938:2168): arch=c000003e syscall=83 success=no exit=-13 a0=4a60f20 a1=1ff a2=1d6ef30 a3=7ffcf4c8ef20 items=0 ppid=1 pid=12564 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600004.938:2168): avc:  denied  { write } for  pid=12564 comm="ruby" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:22 2021
# type=PROCTITLE msg=audit(1613600062.834:2174): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600062.834:2174): arch=c000003e syscall=83 success=no exit=-13 a0=41ec610 a1=1ff a2=2237f30 a3=7ffee26be020 items=0 ppid=1 pid=12912 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600062.834:2174): avc:  denied  { write } for  pid=12912 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:22 2021
# type=PROCTITLE msg=audit(1613600062.834:2175): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600062.834:2175): arch=c000003e syscall=83 success=no exit=-13 a0=41ec610 a1=1ff a2=2237f30 a3=7ffee26bdde0 items=0 ppid=1 pid=12912 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600062.834:2175): avc:  denied  { write } for  pid=12912 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:47 2021
# type=PROCTITLE msg=audit(1613600087.785:2177): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600087.785:2177): arch=c000003e syscall=83 success=no exit=-13 a0=3ce4830 a1=1ff a2=199cf30 a3=7ffe6a74e460 items=0 ppid=1 pid=13017 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600087.785:2177): avc:  denied  { write } for  pid=13017 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0
# ----
# time->Wed Feb 17 22:14:47 2021
# type=PROCTITLE msg=audit(1613600087.785:2178): proctitle=2F6F70742F72682F72682D7275627932352F726F6F742F7573722F62696E2F72756279002F6F70742F746865666F72656D616E2F74666D2F726F6F742F7573722F62696E2F736964656B6971002D650070726F64756374696F6E002D72002F7573722F73686172652F666F72656D616E2F6578747261732F64796E666C6F772D
# type=SYSCALL msg=audit(1613600087.785:2178): arch=c000003e syscall=83 success=no exit=-13 a0=3ce4830 a1=1ff a2=199cf30 a3=7ffe6a74e200 items=0 ppid=1 pid=13017 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="sidekiq" exe="/opt/rh/rh-ruby25/root/usr/bin/ruby" subj=system_u:system_r:foreman_rails_t:s0 key=(null)
# type=AVC msg=audit(1613600087.785:2178): avc:  denied  { write } for  pid=13017 comm="sidekiq" name="home" dev="vda1" ino=5441029 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=unconfined_u:object_r:rpm_script_tmp_t:s0 tclass=dir permissive=0

This is due to:

In other words, probably something that played a role for a longer time but we never tested for. It was the result of a discussion between @evgeni, @ehelms and me.

evgeni · February 18, 2021, 7:28am

FWIW, those are present directly after installation, without any tests have run.

evgeni · February 18, 2021, 8:21am

# find / -context \*:rpm_script_tmp_t:s\* -name home
/tmp/bundler/home

I don’t know what /tmp/bundler is or why it tries to write there, tho…

It is present on other installs after a reboot too:

# ls /tmp/bundler/home/ -alhZ
drwxrwxrwx. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 .
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 ..
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 foreman
drwxr-xr-x. foreman-proxy foreman-proxy system_u:object_r:system_cronjob_tmp_t:s0 foreman-proxy
drwxr-xr-x. foreman       foreman       system_u:object_r:system_cronjob_tmp_t:s0 root

But now a different label…

Which brings me to

github.com

theforeman/foreman-selinux/blob/1bc001e8674f367f0b8174ddd108c6be6e6f1be0/foreman.te#L350-L354:


# When Foreman cronjob is started before Ruby on Rails, /tmp/bundler
# is created with system_u:object_r:system_cronjob_tmp_t:s0 label denying
# access to the web process
manage_files_pattern(foreman_rails_t, system_cronjob_tmp_t, system_cronjob_tmp_t)
manage_dirs_pattern(foreman_rails_t, system_cronjob_tmp_t, system_cronjob_tmp_t)

evgeni · February 18, 2021, 8:28am

And that again brings me to

github.com/rubygems/rubygems

"`/` is not writable" message emitted on read-only bundle invocations

opened 12:31AM - 15 Aug 18 UTC

closed 08:07AM - 08 Jul 21 UTC

Roguelazer

status: confirmed Bundler

If bundler is run in a production environment (i.e., on an immutable filesystem …and with `$HOME` unset), it helpfully prints out the following warning on every invocation (even those like `bundle exec` which should never write to the filesystem) ``` `/` is not writable. Bundler will use `/tmp/bundler/home/username' as your home directory temporarily. ``` Setting `$HOME` to point to a writable temporary directory suppresses the message. I verified (using `strace`) that nothing is ever opened in that temporary directory. I have two issues with this log message: 1. Warning that `/` isn't writable on an action that will never write seems extraneous. 2. Errors should be printed to stderr instead of stdout. There is never an acceptable care to print errors to stdout. Yes, I'm aware that I can export `$BUNDLE_ERROR_ON_STDERR` but does that really need to be opt-in for relatively-new warnings? Nobody could possibly have been relying on the broken behavior of writing errors to stdout for a warning that didn't even exist two minor versions ago. This looks closely related to rubygems/bundler#5371 (which was closed but only for the case where $HOME is unset) and to have been proximally caused by rubygems/bundler#5385. It would be swell if bundler (a) would not attempt to write when running `bundle exec`, and (b) would write this warning to stderr if it really feels the need to emit it. ``` % bundle version Bundler version 1.16.3 (2018-07-17 commit 12e73cab7) % bundle exec ruby --version ruby 2.3.7p456 (2018-03-28 revision 63024) [x86_64-linux-gnu] ``` Let me know if you'd prefer that I re-open rubygems/bundler#5371 in favor of opening a new issue

Which indicates that bundle exec … creates those dirs, but they are actually not really needed…

evgeni · February 18, 2021, 8:34am

Oh, and there is an CVE for that by lzap :

https://bugzilla.redhat.com/show_bug.cgi?id=1651826

but it seems it remains unfixed in rh-ruby25 SCL and EL8

evgeni · February 18, 2021, 11:25am

I think the following would silence the denial

@lzap what do you think?

evgeni · February 18, 2021, 3:33pm

and just to close out the circle, Ewoud has disabled the check for now, so that it won’t affect pipelines and we can work on the solution:

system · February 25, 2021, 3:33pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.