SELinux Issues upgrading to 2.1.0 from 2.0.1

vandy · July 7, 2020, 11:49pm

Recently upgrade our dev environment from 2.0.1 to 2.1.0 following upgrade steps from Foreman :: Manual. now it appears SELinux is not allowing ruby access to needed files. I’ve tried relabeling the entire filesystem with no luck. I’m using my previous foreman-answers.yaml, could this be the issue? Or is foreman-selinux missing something? sealert info:

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the directory /sys/devices/system/node.
type=AVC msg=audit(1594163285.520:1624): avc: denied { read } for pid=1601 comm=“ruby” name=“node” dev=“sysfs” ino=842 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163285.520:1624): arch=x86_64 syscall=openat success=yes exit=ECHILD a0=ffffffffffffff9c a1=7fc48909321b a2=90800 a3=0 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163285.520:1624): cwd=/usr/share/foreman
type=PATH msg=audit(1594163285.520:1624): item=0 name=/sys/devices/system/node inode=842 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the directory /var/log/foreman.
type=AVC msg=audit(1594163286.404:1679): avc: denied { getattr } for pid=1601 comm=“ruby” path="/var/log/foreman" dev=“dm-0” ino=67975302 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163286.404:1679): arch=x86_64 syscall=stat success=yes exit=0 a0=8dd37e8 a1=7ffe6c3b9a30 a2=7ffe6c3b9a30 a3=1 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163286.404:1679): cwd=/usr/share/foreman
type=PATH msg=audit(1594163286.404:1679): item=0 name=/usr/share/foreman/log inode=67975302 dev=fd:00 mode=040750 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_log_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /var/lib/tftpboot/grub2.
type=AVC msg=audit(1594163288.364:1740): avc: denied { search } for pid=1177 comm=“sidekiq” name=“tftpboot” dev=“dm-0” ino=34573341 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163288.364:1740): avc: denied { getattr } for pid=1177 comm=“sidekiq” path="/var/lib/tftpboot/grub2" dev=“dm-0” ino=101421830 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163288.364:1740): arch=x86_64 syscall=stat success=yes exit=0 a0=892f7c8 a1=7ffcfe588f30 a2=7ffcfe588f30 a3=1 items=1 ppid=1 pid=1177 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=sidekiq exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:foreman_rails_t:s0 key=(null)
type=CWD msg=audit(1594163288.364:1740): cwd=/usr/share/foreman
type=PATH msg=audit(1594163288.364:1740): item=0 name=/var/lib/tftpboot/grub2 inode=101421830 dev=fd:00 mode=040755 ouid=995 ogid=0 rdev=00:00 obj=system_u:object_r:tftpdir_rw_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the file /sys/devices/system/node/node0/meminfo.
type=AVC msg=audit(1594163285.520:1625): avc: denied { read } for pid=1601 comm=“ruby” name=“meminfo” dev=“sysfs” ino=933 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163285.520:1625): avc: denied { open } for pid=1601 comm=“ruby” path="/sys/devices/system/node/node0/meminfo" dev=“sysfs” ino=933 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163285.520:1625): arch=x86_64 syscall=open success=yes exit=EAGAIN a0=7ffe6c3b6a70 a1=0 a2=1b6 a3=24 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163285.520:1625): cwd=/usr/share/foreman
type=PATH msg=audit(1594163285.520:1625): item=0 name=/sys/devices/system/node/node0/meminfo inode=933 dev=00:12 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sysfs_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the file /sys/devices/system/node/node0/meminfo.
type=AVC msg=audit(1594163285.520:1626): avc: denied { getattr } for pid=1601 comm=“ruby” path="/sys/devices/system/node/node0/meminfo" dev=“sysfs” ino=933 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163285.520:1626): arch=x86_64 syscall=fstat success=yes exit=0 a0=b a1=7ffe6c3b68c0 a2=7ffe6c3b68c0 a3=8 items=0 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /usr/share/foreman/log/production.log.
type=AVC msg=audit(1594163286.415:1681): avc: denied { search } for pid=1601 comm=“ruby” name=“foreman” dev=“dm-0” ino=67975302 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163286.415:1681): avc: denied { getattr } for pid=1601 comm=“ruby” path="/var/log/foreman/production.log" dev=“dm-0” ino=67975309 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163286.415:1681): arch=x86_64 syscall=stat success=yes exit=0 a0=9086310 a1=7ffe6c3b9080 a2=7ffe6c3b9080 a3=1 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163286.415:1681): cwd=/usr/share/foreman
type=PATH msg=audit(1594163286.415:1681): item=0 name=/usr/share/foreman/log/production.log inode=67975309 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_log_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from append access on the file /usr/share/foreman/log/production.log.
type=AVC msg=audit(1594163286.418:1685): avc: denied { append } for pid=1601 comm=“ruby” name=“production.log” dev=“dm-0” ino=67975309 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163286.418:1685): avc: denied { open } for pid=1601 comm=“ruby” path="/var/log/foreman/production.log" dev=“dm-0” ino=67975309 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163286.418:1685): arch=x86_64 syscall=open success=yes exit=ECHILD a0=9086310 a1=80441 a2=1b6 a3=d items=2 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163286.418:1685): cwd=/usr/share/foreman
type=PATH msg=audit(1594163286.418:1685): item=0 name=/usr/share/foreman/log/ inode=67975302 dev=fd:00 mode=040750 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_log_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163286.418:1685): item=1 name=/usr/share/foreman/log/production.log inode=67975309 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_log_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from ioctl access on the file /var/log/foreman/production.log.
type=AVC msg=audit(1594163286.418:1686): avc: denied { ioctl } for pid=1601 comm=“ruby” path="/var/log/foreman/production.log" dev=“dm-0” ino=67975309 ioctlcmd=5401 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163286.418:1686): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=a a1=5401 a2=7ffe6c3b8dd0 a3=d items=0 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from write access on the file /usr/share/foreman/log/production.log.
type=AVC msg=audit(1594163286.418:1684): avc: denied { write } for pid=1601 comm=“ruby” name=“production.log” dev=“dm-0” ino=67975309 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_log_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163286.418:1684): arch=x86_64 syscall=access success=yes exit=0 a0=9086310 a1=2 a2=7ffe6c3b8f90 a3=1 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163286.418:1684): cwd=/usr/share/foreman
type=PATH msg=audit(1594163286.418:1684): item=0 name=/usr/share/foreman/log/production.log inode=67975309 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_log_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from setattr access on the file /usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud.
type=AVC msg=audit(1594163377.468:2348): avc: denied { setattr } for pid=2012 comm=“diagnostic_con*” name=".settings%2Flab_features20200708-2012-895zud" dev=“tmpfs” ino=25581 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.468:2348): arch=x86_64 syscall=chown success=yes exit=0 a0=7fc46de2be90 a1=3e4 a2=3e0 a3=ffffffff items=1 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163377.468:2348): cwd=/usr/share/foreman
type=PATH msg=audit(1594163377.468:2348): item=0 name=/usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud inode=25581 dev=00:14 mode=0100600 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from write access on the directory /usr/share/foreman/tmp/cache/F3B.
type=AVC msg=audit(1594163361.632:2217): avc: denied { write } for pid=2012 comm=“diagnostic_con*” name=“cache” dev=“tmpfs” ino=23028 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163361.632:2217): avc: denied { add_name } for pid=2012 comm=“diagnostic_con*” name=“F3B” scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163361.632:2217): avc: denied { create } for pid=2012 comm=“diagnostic_con*” name=“F3B” scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163361.632:2217): arch=x86_64 syscall=mkdir success=yes exit=0 a0=7fc46c20ad30 a1=1ff a2=1d47020 a3=7fc48470f740 items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163361.632:2217): cwd=/usr/share/foreman
type=PATH msg=audit(1594163361.632:2217): item=0 name=/usr/share/foreman/tmp/cache/ inode=23028 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163361.632:2217): item=1 name=/usr/share/foreman/tmp/cache/F3B inode=27740 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from remove_name access on the directory /usr/share/foreman/tmp/cache/F3B/E00/.permissions_check.80358720.2012.564546.
type=AVC msg=audit(1594163361.632:2220): avc: denied { remove_name } for pid=2012 comm=“diagnostic_con*” name=".permissions_check.80358720.2012.564546" dev=“tmpfs” ino=27743 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163361.632:2220): avc: denied { unlink } for pid=2012 comm=“diagnostic_con*” name=".permissions_check.80358720.2012.564546" dev=“tmpfs” ino=27743 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163361.632:2220): arch=x86_64 syscall=unlink success=yes exit=0 a0=7fc46c210080 a1=0 a2=1 a3=ffffffff items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163361.632:2220): cwd=/usr/share/foreman
type=PATH msg=audit(1594163361.632:2220): item=0 name=/usr/share/foreman/tmp/cache/F3B/E00/ inode=27741 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163361.632:2220): item=1 name=/usr/share/foreman/tmp/cache/F3B/E00/.permissions_check.80358720.2012.564546 inode=27743 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from ioctl access on the file /run/foreman/cache/56D/710/notification-8.
type=AVC msg=audit(1594163885.901:10528): avc: denied { ioctl } for pid=2407 comm=“diagnostic_con*” path="/run/foreman/cache/56D/710/notification-8" dev=“tmpfs” ino=27628 ioctlcmd=5401 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163885.901:10528): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=d a1=5401 a2=7fc48470fc40 a3=d items=0 ppid=1601 pid=2407 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the file /run/foreman/cache/56D/710/notification-8.
type=AVC msg=audit(1594163885.900:10526): avc: denied { getattr } for pid=2407 comm=“diagnostic_con*” path="/run/foreman/cache/56D/710/notification-8" dev=“tmpfs” ino=27628 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163885.900:10526): arch=x86_64 syscall=stat success=yes exit=0 a0=7fc45165f080 a1=7fc48470ff00 a2=7fc48470ff00 a3=1 items=1 ppid=1601 pid=2407 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163885.900:10526): cwd=/usr/share/foreman
type=PATH msg=audit(1594163885.900:10526): item=0 name=/usr/share/foreman/tmp/cache/56D/710/notification-8 inode=27628 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from search access on the directory /usr/share/foreman/public/notification_recipients.
type=AVC msg=audit(1594164025.886:11957): avc: denied { search } for pid=2407 comm=“diagnostic_con*” name=“foreman” dev=“dm-0” ino=100845549 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594164025.886:11957): arch=x86_64 syscall=stat success=no exit=ENOENT a0=7fc46e07a5c0 a1=7fc484710bc0 a2=7fc484710bc0 a3=1 items=1 ppid=1601 pid=2407 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594164025.886:11957): cwd=/usr/share/foreman
type=PATH msg=audit(1594164025.886:11957): item=0 name=/usr/share/foreman/public/notification_recipients objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the directory /var/lib/tftpboot/grub2.
type=AVC msg=audit(1594163288.371:1741): avc: denied { getattr } for pid=1601 comm=“ruby” path="/var/lib/tftpboot/grub2" dev=“dm-0” ino=101421830 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:tftpdir_rw_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163288.371:1741): arch=x86_64 syscall=stat success=yes exit=0 a0=8195120 a1=7ffe6c3b3cb0 a2=7ffe6c3b3cb0 a3=1 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163288.371:1741): cwd=/usr/share/foreman
type=PATH msg=audit(1594163288.371:1741): item=0 name=/var/lib/tftpboot/grub2 inode=101421830 dev=fd:00 mode=040755 ouid=995 ogid=0 rdev=00:00 obj=system_u:object_r:tftpdir_rw_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the lnk_file db/migrate.
type=AVC msg=audit(1594163378.812:2380): avc: denied { read } for pid=2035 comm=“diagnostic_con*” name=“migrate” dev=“dm-0” ino=499536 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file permissive=1
type=SYSCALL msg=audit(1594163378.812:2380): arch=x86_64 syscall=openat success=yes exit=EMFILE a0=ffffffffffffff9c a1=7fc46c0b7f10 a2=90000 a3=0 items=1 ppid=1601 pid=2035 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163378.812:2380): cwd=/usr/share/foreman
type=PATH msg=audit(1594163378.812:2380): item=0 name=db/migrate inode=33934759 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from append access on the file /run/foreman/cache/8FC/FB0/.permissions_check.80358720.2012.716712.
type=AVC msg=audit(1594163377.468:2346): avc: denied { append } for pid=2012 comm=“diagnostic_con*” path="/run/foreman/cache/8FC/FB0/.permissions_check.80358720.2012.716712" dev=“tmpfs” ino=25582 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.468:2346): arch=x86_64 syscall=open success=yes exit=ENFILE a0=7fc46de2c3f0 a1=80441 a2=1b6 a3=d items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163377.468:2346): cwd=/usr/share/foreman
type=PATH msg=audit(1594163377.468:2346): item=0 name=/usr/share/foreman/tmp/cache/8FC/FB0/ inode=25580 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2346): item=1 name=/usr/share/foreman/tmp/cache/8FC/FB0/.permissions_check.80358720.2012.716712 inode=25582 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from create access on the directory /usr/share/foreman/tmp/cache/26D.
type=AVC msg=audit(1594163290.968:1801): avc: denied { create } for pid=1601 comm=“ruby” name=“26D” scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163290.968:1801): arch=x86_64 syscall=mkdir success=yes exit=0 a0=9195770 a1=1ff a2=1d47020 a3=7ffe6c3b7900 items=2 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163290.968:1801): cwd=/usr/share/foreman
type=PATH msg=audit(1594163290.968:1801): item=0 name=/usr/share/foreman/tmp/cache/ inode=23028 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163290.968:1801): item=1 name=/usr/share/foreman/tmp/cache/26D inode=24215 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the lnk_file /var/lib/foreman/db/seeds.d.
type=AVC msg=audit(1594163300.590:1866): avc: denied { getattr } for pid=1601 comm=“ruby” path="/var/lib/foreman/db/seeds.d" dev=“dm-0” ino=55747 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=lnk_file permissive=1
type=SYSCALL msg=audit(1594163300.590:1866): arch=x86_64 syscall=lstat success=yes exit=0 a0=d2fb4d0 a1=7ffe6c3b6120 a2=7ffe6c3b6120 a3=d2fb4e8 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163300.590:1866): cwd=/usr/share/foreman
type=PATH msg=audit(1594163300.590:1866): item=0 name=/var/lib/foreman/db/seeds.d inode=55747 dev=fd:00 mode=0120777 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the directory /var/lib/foreman.
type=AVC msg=audit(1594163300.590:1865): avc: denied { getattr } for pid=1601 comm=“ruby” path="/var/lib/foreman" dev=“dm-0” ino=100845549 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163300.590:1865): arch=x86_64 syscall=lstat success=yes exit=0 a0=d78c8f8 a1=7ffe6c3b5fb0 a2=7ffe6c3b5fb0 a3=d78c908 items=1 ppid=1366 pid=1601 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=ruby exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163300.590:1865): cwd=/usr/share/foreman
type=PATH msg=audit(1594163300.590:1865): item=0 name=/var/lib/foreman inode=100845549 dev=fd:00 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the directory /usr/share/foreman/public/apipie-cache/apidoc.
type=AVC msg=audit(1594163385.68:2405): avc: denied { read } for pid=2012 comm=“diagnostic_con*” name=“apidoc” dev=“dm-0” ino=100845550 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1594163385.68:2405): avc: denied { open } for pid=2012 comm=“diagnostic_con*” path="/var/lib/foreman/public/apipie-cache/apidoc" dev=“dm-0” ino=100845550 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163385.68:2405): arch=x86_64 syscall=openat success=yes exit=EMFILE a0=ffffffffffffff9c a1=7fc46db39b20 a2=90000 a3=0 items=1 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163385.68:2405): cwd=/usr/share/foreman
type=PATH msg=audit(1594163385.68:2405): item=0 name=/usr/share/foreman/public/apipie-cache/apidoc inode=100845550 dev=fd:00 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from ioctl access on the file /var/lib/foreman/public/apipie-cache/apidoc/v2.ca.json.
type=AVC msg=audit(1594163385.80:2407): avc: denied { ioctl } for pid=2012 comm=“diagnostic_con*” path="/var/lib/foreman/public/apipie-cache/apidoc/v2.ca.json" dev=“dm-0” ino=101399690 ioctlcmd=5401 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163385.80:2407): arch=x86_64 syscall=ioctl success=no exit=ENOTTY a0=18 a1=5401 a2=7fc484710d10 a3=d items=0 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the file /usr/share/foreman/public/apipie-cache/apidoc/v2.ca.json.
type=AVC msg=audit(1594163385.80:2406): avc: denied { read } for pid=2012 comm=“diagnostic_con*” name=“v2.ca.json” dev=“dm-0” ino=101399690 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163385.80:2406): avc: denied { open } for pid=2012 comm=“diagnostic_con*” path="/var/lib/foreman/public/apipie-cache/apidoc/v2.ca.json" dev=“dm-0” ino=101399690 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163385.80:2406): arch=x86_64 syscall=open success=yes exit=EMFILE a0=7fc46db37680 a1=80000 a2=1b6 a3=d items=1 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163385.80:2406): cwd=/usr/share/foreman
type=PATH msg=audit(1594163385.80:2406): item=0 name=/usr/share/foreman/public/apipie-cache/apidoc/v2.ca.json inode=101399690 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the file /usr/share/foreman/tmp/cache/56D/710/notification-8.
type=AVC msg=audit(1594163885.901:10527): avc: denied { read } for pid=2407 comm=“diagnostic_con*” name=“notification-8” dev=“tmpfs” ino=27628 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163885.901:10527): avc: denied { open } for pid=2407 comm=“diagnostic_con*” path="/run/foreman/cache/56D/710/notification-8" dev=“tmpfs” ino=27628 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163885.901:10527): arch=x86_64 syscall=open success=yes exit=EACCES a0=7fc45165f080 a1=80000 a2=1b6 a3=d items=1 ppid=1601 pid=2407 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163885.901:10527): cwd=/usr/share/foreman
type=PATH msg=audit(1594163885.901:10527): item=0 name=/usr/share/foreman/tmp/cache/56D/710/notification-8 inode=27628 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from create access on the file /usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud.
type=AVC msg=audit(1594163377.468:2345): avc: denied { create } for pid=2012 comm=“diagnostic_con*” name=".settings%2Flab_features20200708-2012-895zud" scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163377.468:2345): avc: denied { write } for pid=2012 comm=“diagnostic_con*” path="/run/foreman/cache/.settings%2Flab_features20200708-2012-895zud" dev=“tmpfs” ino=25581 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.468:2345): arch=x86_64 syscall=open success=yes exit=ENFILE a0=7fc46de2be90 a1=800c2 a2=180 a3=d items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163377.468:2345): cwd=/usr/share/foreman
type=PATH msg=audit(1594163377.468:2345): item=0 name=/usr/share/foreman/tmp/cache/ inode=23028 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2345): item=1 name=/usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud inode=25581 dev=00:14 mode=0100600 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from rename access on the file /usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud.
type=AVC msg=audit(1594163377.468:2349): avc: denied { rename } for pid=2012 comm=“diagnostic_con*” name=".settings%2Flab_features20200708-2012-895zud" dev=“tmpfs” ino=25581 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.468:2349): arch=x86_64 syscall=rename success=yes exit=0 a0=7fc46de2be90 a1=7fc46de259c0 a2=1d47020 a3=2 items=4 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163377.468:2349): cwd=/usr/share/foreman
type=PATH msg=audit(1594163377.468:2349): item=0 name=/usr/share/foreman/tmp/cache/ inode=23028 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2349): item=1 name=/usr/share/foreman/tmp/cache/8FC/FB0/ inode=25580 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2349): item=2 name=/usr/share/foreman/tmp/cache/.settings%2Flab_features20200708-2012-895zud inode=25581 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2349): item=3 name=/usr/share/foreman/tmp/cache/8FC/FB0/settings%2Flab_features inode=25581 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from unlink access on the file /usr/share/foreman/tmp/cache/8FC/FB0/.permissions_check.80358720.2012.716712.
type=AVC msg=audit(1594163377.468:2347): avc: denied { unlink } for pid=2012 comm=“diagnostic_con*” name=".permissions_check.80358720.2012.716712" dev=“tmpfs” ino=25582 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.468:2347): arch=x86_64 syscall=unlink success=yes exit=0 a0=7fc46de2c3f0 a1=0 a2=1 a3=ffffffff items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163377.468:2347): cwd=/usr/share/foreman
type=PATH msg=audit(1594163377.468:2347): item=0 name=/usr/share/foreman/tmp/cache/8FC/FB0/ inode=25580 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163377.468:2347): item=1 name=/usr/share/foreman/tmp/cache/8FC/FB0/.permissions_check.80358720.2012.716712 inode=25582 dev=00:14 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /usr/sbin/httpd from getattr access on the file /var/lib/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css.
type=AVC msg=audit(1594163377.496:2350): avc: denied { getattr } for pid=1389 comm=“httpd” path="/var/lib/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css" dev=“dm-0” ino=101236852 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.496:2350): arch=x86_64 syscall=stat success=yes exit=0 a0=5564c5985b90 a1=7ffd660410a0 a2=7ffd660410a0 a3=0 items=1 ppid=1173 pid=1389 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=CWD msg=audit(1594163377.496:2350): cwd=/
type=PATH msg=audit(1594163377.496:2350): item=0 name=/usr/share/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css inode=101236852 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /usr/sbin/httpd from read access on the file /usr/share/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css.gz.
type=AVC msg=audit(1594163377.496:2351): avc: denied { read } for pid=1389 comm=“httpd” name=“foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css.gz” dev=“dm-0” ino=101236853 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1594163377.496:2351): avc: denied { open } for pid=1389 comm=“httpd” path="/var/lib/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css.gz" dev=“dm-0” ino=101236853 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163377.496:2351): arch=x86_64 syscall=open success=yes exit=EFAULT a0=5564c599d8b8 a1=80000 a2=0 a3=4 items=1 ppid=1173 pid=1389 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=CWD msg=audit(1594163377.496:2351): cwd=/
type=PATH msg=audit(1594163377.496:2351): item=0 name=/usr/share/foreman/public/webpack/foreman-vendor.bundle-v4.3.0-production-7c19ff9bfddfa7208370.css.gz inode=101236853 dev=fd:00 mode=0100644 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_lib_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from name_connect access on the tcp_socket port 636.
type=AVC msg=audit(1594163374.641:2315): avc: denied { name_connect } for pid=2012 comm=“diagnostic_con*” dest=636 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket permissive=1
type=SYSCALL msg=audit(1594163374.641:2315): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=17 a1=d413d48 a2=10 a3=7fc48470ef60 items=0 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from rmdir access on the directory /usr/share/foreman/tmp/cache/C3F/670.
type=AVC msg=audit(1594163378.618:2376): avc: denied { rmdir } for pid=2012 comm=“diagnostic_con*” name=“670” dev=“tmpfs” ino=25584 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163378.618:2376): arch=x86_64 syscall=rmdir success=yes exit=0 a0=7fc46dea7e70 a1=0 a2=1d47020 a3=7fc48470d320 items=2 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163378.618:2376): cwd=/usr/share/foreman
type=PATH msg=audit(1594163378.618:2376): item=0 name=/usr/share/foreman/tmp/cache/C3F/ inode=25583 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1594163378.618:2376): item=1 name=/usr/share/foreman/tmp/cache/C3F/670 inode=25584 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from read access on the directory /usr/share/foreman/tmp/cache/C3F/670.
type=AVC msg=audit(1594163378.618:2375): avc: denied { read } for pid=2012 comm=“diagnostic_con*” name=“670” dev=“tmpfs” ino=25584 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_var_run_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1594163378.618:2375): arch=x86_64 syscall=openat success=yes exit=ENFILE a0=ffffffffffffff9c a1=7fc46dea7e70 a2=90800 a3=0 items=1 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)
type=CWD msg=audit(1594163378.618:2375): cwd=/usr/share/foreman
type=PATH msg=audit(1594163378.618:2375): item=0 name=/usr/share/foreman/tmp/cache/C3F/670 inode=25584 dev=00:14 mode=040755 ouid=996 ogid=992 rdev=00:00 obj=system_u:object_r:foreman_var_run_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

SELinux is preventing /opt/rh/rh-ruby25/root/usr/bin/ruby from getattr access on the file /var/lib/foreman/public/apipie-cache/apidoc/v2.ca.json.
type=AVC msg=audit(1594163385.80:2408): avc: denied { getattr } for pid=2012 comm=“diagnostic_con*” path="/var/lib/foreman/public/apipie-cache/apidoc/v2.ca.json" dev=“dm-0” ino=101399690 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1594163385.80:2408): arch=x86_64 syscall=fstat success=yes exit=0 a0=18 a1=7fc484710c10 a2=7fc484710c10 a3=7fc484710c60 items=0 ppid=1601 pid=2012 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=diagnostic_con* exe=/opt/rh/rh-ruby25/root/usr/bin/ruby subj=system_u:system_r:passenger_t:s0 key=(null)

ekohl · July 13, 2020, 10:15am

I know @lzap and @ehelms have been looking into SELinux issues but I don’t know the exact status.

vandy · July 13, 2020, 9:36pm

Thanks for that. I’m happy to provide any other information they may need.

vandy · July 13, 2020, 11:09pm

Temporarily set enforcement to permissive prior to attempting the upgrade again. After that, upgrade was successful with no further SELinux issues.

lzap · July 14, 2020, 10:33am

Our deployment now default to Puma server, there is a possibility to keep running on Passenger but a SELinux boolean flag passenger_run_foreman must be set to true.

@ekohl @ehelms I expected that during upgrade hosts deployed with Passenger are migrated to Puma, if this is not the case the flag should probably default to true because this will ultimately break all upgrades.