Selinux issues with 1.22?

Problem:
Foreman does not run correctly anymore after enabling selinux.
I’m not sure how we broke foreman, but while trying to bring it up again it seems we lost all our selinux settings for foreman.
When trying to reset the selinux security from the foreman-selinux rpm, we get the following:
/usr/sbin/foreman-selinux-enable
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/foreman/cil:66
OSError: Error
ERROR: could not find datum for type foreman_container_port_t
ValueError: Type foreman_container_port_t is invalid, must be a port type

Anyone who can advise on how to fix this issue?

Bert

Try “ausearch -m avc -ts today” to see the denials that occurred today. Command “aureport -i -ts today” will provide a summary of all denials.
That should give you a starting point to resolve the denials.

hmm,

the summare aleady doesn’t look good:

aureport -i -ts today

Summary Report

Range of time in logs: 01/01/1970 01:00:00.000 - 01/30/2020 20:42:09.731
Selected time for report: 01/30/2020 00:00:00 - 01/30/2020 20:42:09.731
Number of changes in configuration: 2
Number of changes to accounts, groups, or roles: 0
Number of logins: 3
Number of failed logins: 242
Number of authentications: 12
Number of failed authentications: 6
Number of users: 9
Number of terminals: 21
Number of host names: 4
Number of executables: 22
Number of commands: 28
Number of files: 4930
Number of AVC’s: 3881
Number of MAC events: 5
Number of failed syscalls: 3910
Number of anomaly events: 192
Number of responses to anomaly events: 0
Number of crypto events: 1266
Number of integrity events: 0
Number of virt events: 0
Number of keys: 6
Number of process IDs: 1554
Number of events: 32966

selinux.tar.gz (174.3 KB)

I’ve added the full logs. But I feel like the problem is not with selinux, but more with the missing contexts.

Bert

Set selinux to permissive mode and work through the denials. It can be quite tedious but is not infinite. When you see no more denials, after a test period, try setting to enforcing.

Hello,

at some point in lifecycle of RHEL7 (I believe 7.3) some policies around container were split from the base policy into package named something like selinux-policy-container or container-selinux, something like that. You need to install this package. If you use RHEL it is in optional channel, on CentOS it should be in the base repo.

Hello @lzap,

I have in the meantime installed selinux-policy.
I also tried to reinstall he foreman-selinux package. but to no avail.

I also discoverd some other strange things. For example, when I check wich modules are installed on the server, I am missing the foreman pp (on other servers, I can see that one):
# semodule -lfull | grep foreman
400 foreman_katello pp

When trying to import the pp file, I get the following error
# semodule -i /usr/share/selinux/targeted/foreman.pp.bz2
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/foreman/cil:66
semodule: Failed!

And trying to install the rpm, I keep on hitting the value error for foreman_container_port_t.

I have no idea why a) the foreman.pp disapeared, and b) why I can’t install it. But at the moment I can’t label the directories correctly.

Bert

Which RHEL/CentOS 7 version is that? Which minor version? Because if that’s older than 7.5 it’s not supported anymore (it will not actually work due to changes in the base policy). Minimum CentOS version requirement for 1.18 is 7.5