SELinux Denials with Foreman-1.6.0

I am noticing I'm getting some denials reported by SELinux on a system that
runs foreman-1.6.0. Unsure if an update to latest stable Foreman would
resolve these. So far no functionality seems to be broken, but it's been
my experience that lot of passenger related tasks trigger large numbers of
denials without breaking functionality.

If I run "cat /var/log/audit/audit.log | audit2allow -m my-foreman" I get
this:

module my-foreman 1.0;

require {
type ssh_exec_t;
type passenger_t;
class process { getcap setcap };
class file { read getattr open execute execute_no_trans };
}

#============= passenger_t ==============
allow passenger_t self:process { getcap setcap };
allow passenger_t ssh_exec_t:file { read getattr open execute
execute_no_trans };

This host run only Foreman, the Puppetmaster is on a separate host. This
host also performs none of the proxy functions, those are all on separate
hosts too. My Compute Resources are Libvirt, oVirt and VMware. My hunch
is that the SSH related denial was related to libvirt. I have no plugins
enabled on this instance of Foreman (according to the "About" page).

These are the foreman packages installed:

foreman.noarch 1.6.0-1.el6 @foreman
foreman-compute.noarch 1.6.0-1.el6 @foreman
foreman-gce.noarch 1.6.0-1.el6 @foreman
foreman-installer.noarch 1:1.6.0-1.el6 @foreman
foreman-libvirt.noarch 1.6.0-1.el6 @foreman
foreman-mysql2.noarch 1.6.0-1.el6 @foreman
foreman-ovirt.noarch 1.6.0-1.el6 @foreman
foreman-release.noarch 1.6.0-1.el6
@/foreman-release
foreman-selinux.noarch 1.6.0-1.el6 @foreman
foreman-vmware.noarch 1.6.0-1.el6 @foreman

Below are the AVC denials when I grep for "passenger"

Let me know if I should file a bug or if the fact nothing seems broken
means these can be safely ignored. I recently enabled "setroubleshoot" and
am going through the mountain of emails I got across my systems to try and
see where things could be improved. Because Foreman handles SELinux so
well it's one of the few hosts I have where I have no set SELinux to
permissive.

Thanks,

• Trey

type=AVC msg=audit(1426534611.802:180414): avc: denied { getattr } for
pid=9106 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1426534611.802:180414): arch=c000003e syscall=4
success=yes exit=0 a0=7ff52d55d460 a1=7ff54559ee90 a2=7ff54559ee90 a3=d
items=0 ppid=1 pid=9106 auid=0 uid=498 gid=497 euid=498 suid=498 fsuid=498
egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426534611.942:180415): avc: denied { getcap } for
pid=22687 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0
tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1426534611.942:180415): arch=c000003e syscall=125
success=yes exit=0 a0=7ff52ca3ae34 a1=7ff52ca3ae3c a2=4 a3=7ff54559ecc0
items=0 ppid=9101 pid=22687 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426534611.949:180416): avc: denied { setcap } for
pid=22687 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0
tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1426534611.949:180416): arch=c000003e syscall=126
success=yes exit=0 a0=7ff52ca3ae34 a1=7ff52ca3ae3c a2=4 a3=7ff54559ecc0
items=0 ppid=9101 pid=22687 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426534611.951:180417): avc: denied { execute } for
pid=22687 comm="ruby" name="ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1426534611.951:180417): avc: denied { read open } for
pid=22687 comm="ruby" name="ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1426534611.951:180417): avc: denied { execute_no_trans
} for pid=22687 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1426534611.951:180417): arch=c000003e syscall=59
success=yes exit=0 a0=7ff52d55d460 a1=7ff52c8d89d0 a2=7ff52c7e40d0
a3=7ff54559ecf0 items=0 ppid=9101 pid=22687 auid=0 uid=498 gid=497 euid=498
suid=498 fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155
comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:passenger_t:s0
key=(null)
type=AVC msg=audit(1426616300.913:181982): avc: denied { getattr } for
pid=9106 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1426616300.913:181982): arch=c000003e syscall=4
success=yes exit=0 a0=7ff52d48b450 a1=7ff54559ea50 a2=7ff54559ea50 a3=d
items=0 ppid=1 pid=9106 auid=0 uid=498 gid=497 euid=498 suid=498 fsuid=498
egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426616301.114:181983): avc: denied { getcap } for
pid=30303 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0
tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1426616301.114:181983): arch=c000003e syscall=125
success=yes exit=0 a0=7ff52d741c24 a1=7ff52d741c2c a2=4 a3=7ff54559e880
items=0 ppid=9101 pid=30303 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426616301.115:181984): avc: denied { setcap } for
pid=30303 comm="ruby" scontext=unconfined_u:system_r:passenger_t:s0
tcontext=unconfined_u:system_r:passenger_t:s0 tclass=process
type=SYSCALL msg=audit(1426616301.115:181984): arch=c000003e syscall=126
success=yes exit=0 a0=7ff52d741c24 a1=7ff52d741c2c a2=4 a3=7ff54559e880
items=0 ppid=9101 pid=30303 auid=0 uid=498 gid=497 euid=498 suid=498
fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155 comm="ruby"
exe="/opt/rh/ruby193/root/usr/bin/ruby"
subj=unconfined_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1426616301.115:181985): avc: denied { execute } for
pid=30303 comm="ruby" name="ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1426616301.115:181985): avc: denied { read open } for
pid=30303 comm="ruby" name="ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=AVC msg=audit(1426616301.115:181985): avc: denied { execute_no_trans
} for pid=30303 comm="ruby" path="/usr/bin/ssh" dev=dm-0 ino=134585
scontext=unconfined_u:system_r:passenger_t:s0
tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1426616301.115:181985): arch=c000003e syscall=59
success=yes exit=0 a0=7ff52d48b450 a1=7ff52d741d30 a2=7ff52dc55ac0
a3=7ff54559e8b0 items=0 ppid=9101 pid=30303 auid=0 uid=498 gid=497 euid=498
suid=498 fsuid=498 egid=497 sgid=497 fsgid=497 tty=(none) ses=27155
comm="ssh" exe="/usr/bin/ssh" subj=unconfined_u:system_r:passenger_t:s0
key=(null)

Indeed, that looks like Bug #7719: Selinux prevents console from starting/connecting - SELinux - Foreman which
was fixed in foreman-selinux 1.6.3.

Dominic,

Thanks for response. Due to other issues I ran into and fact I was still
on 1.6.0 I went ahead and updated to 1.7.3 and now all the denials are show
as allowed by current policy. So this is resolved, thanks!

• Trey