Upgrade 1.22 to 1.22.1 bricks Foreman due to wrong selinux policy (with solution)

fsachs · September 11, 2019, 7:09am

Problem:
Foreman has been ugpraded from 1.22 to 1.22.1 and foreman stopped working.
The webinterface showed a stacktrace with “permission denied”.

Expected outcome:
Foreman still running after the upgrade.

Solution

setsebool -P passenger_can_connect_all 1

This parameter was not needed on 1.22 and below.

Foreman and Proxy versions:
1.22.1 on RHEL 7.6 latest

Foreman and Proxy plugin versions:

Other relevant data:

lzap · September 11, 2019, 1:16pm

Hello, can you share the SELinux denial which caused this? Also it would be good to see the details of the “permission denied”. I have seen a temporary permission denied error during passenger launch, but when it finishes it goes away. The only thing to do in that case was to wait a bit longer until it comes up.

The passenger SELinux policy is a mess.

fsachs · September 11, 2019, 2:13pm

Maybe it’s because our postgres server doesn’t listen on the default port 5432, but on 5455. I didn’t think about the non standard ports until I read the AVC carefully again.

SELinux is preventing ruby from name_connect access on the tcp_socket port 5455. 

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow passenger to can connect all
Then you must tell SELinux about this by enabling the 'passenger_can_connect_all' boolean.

Do
setsebool -P passenger_can_connect_all 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that ruby should be allowed name_connect access on the port 5455 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ruby' --raw | audit2allow -M my-ruby
# semodule -i my-ruby.pp

Additional Information:
Source Context                system_u:system_r:passenger_t:s0
Target Context                system_u:object_r:jboss_messaging_port_t:s0
Target Objects                port 5455 [ tcp_socket ]
Source                        ruby
Source Path                   ruby
Port                          5455
Host                          <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.15.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     foreman1.3ve.bmlv.at
Platform                      Linux foreman.host.name
                              3.10.0-957.27.2.el7.x86_64 #1 SMP Tue Jul 9
                              16:53:14 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2019-09-11 15:59:54 CEST
Last Seen                     2019-09-11 15:59:54 CEST
Local ID                      e744cadc-95f3-45e3-9ee6-04cab83b7775

Raw Audit Messages
type=AVC msg=audit(1568210394.788:7041): avc:  denied  { name_connect } for  pid=4196 comm="ruby" dest=5455 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:jboss_messaging_port_t:s0 tclass=t
cp_socket permissive=0


Hash: ruby,passenger_t,jboss_messaging_port_t,tcp_socket,name_connect

lzap · September 13, 2019, 9:12am

That is absolutely the reason, no doubt. SELinux just did the right job it was designed for. If you want to keep improved security, simply add this port to PostgreSQL port type using semanage port command instead of allowing all ports.