Bug #16513
closed
Foreman app is denied connecting to Puppet Master
Added by Lukas Zapletal over 7 years ago.
Updated about 4 years ago.
Description
Regression in audit, this happens during/after installation:
type=SYSCALL msg=audit(1472804428.713:506): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=1da4130 a2=10 a3=7ffde886c350 items=0 ppid=19686 pid=20065 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1472804428.713:506): avc: denied { name_connect } for pid=20065 comm="ruby" dest=8140 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
I don't know what causes this, Puppet Environment import works fine. Could be wrong ordering in the installer.
That's unlikely to be Foreman, all it shows is that the context is passenger_t. It's more likely to be Passenger itself (prestart) when using an old Rack-based master.
Hi Lukas,
As I hit that issue in Katello 3.1/Foreman 1.12.4 and Satellite 6.2.4, too, I wanted to give a hint to anyone else how to resolv this. Even that everything seemed to work as expected but one never knows. I hope that helps.
1.) One way would be to allow Passenger to connect to all ports, but that's not what I wanted. Just enable the following boolean if that's OK for you:
# getsebool passenger_can_connect_all
passenger_can_connect_all --> off
2.) The other way that worked for me was to create a custom selinux module to allow Passenger the connection with tcp/8140.
# cat allow_passenger_puppet_port.te
module allow_passenger_puppet_port 1.0;
require {
type puppet_port_t;
type passenger_t;
class tcp_socket name_connect;
}
#============= passenger_t ==============
#!!!! This avc is allowed in the current policy
allow passenger_t puppet_port_t:tcp_socket name_connect;
Best regards
- Has duplicate Bug #17711: Passenger can't connect to puppet port added
I also ran into this issue with my Katello 3.1 installation.
Rather than granting all port access, I used semanage to label the requested port to something passenger could connect to.
semanage port -m -t http_port_t -p tcp 8140
- Status changed from New to Resolved
Implemented some time ago.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by