-
Bug
-
Resolution: Done-Errata
-
Major
-
6.15.z, 6.16.0
-
False
-
foreman-fapolicyd-1.0.1-3
-
Important
-
None
-
None
-
None
-
None
-
Yes
Description of problem:
As per https://issues.redhat.com/browse/SAT-6829 and https://issues.redhat.com/browse/SAT-15991 , we should be able to install Satellite 6.15+ on a RHEL 8 OS which has DISA STIG security profile applied and fapolicyd enabled.
But that seems impossible.
How reproducible:
Always
Is this issue a regression from an earlier version:
Regression of the JIRAs mentioned above
Steps to Reproduce:
1. Install a RHEL 8.10 with DISA STIG for RHEL 8 policy applied
2. Verify that fapolicyd is running
3. Install Satellite 6.16 on top of the same.
4. If fails on step 3, stop fapolicyd and retry the satellite-installer
Actual behavior:
Step 3:
The installer fails to run the db:migrate step.
[root@satellite616 ~]# satellite-installer --scenario satellite \ --foreman-initial-organization "RedHat" \ --foreman-initial-location "GSS" \ --foreman-initial-admin-username admin \ --foreman-initial-admin-password RedHat1! --tuning development 2024-09-09 16:00:07 [NOTICE] [root] Loading installer configuration. This will take some time. 2024-09-09 16:00:10 [NOTICE] [root] Running installer with log based terminal output at level NOTICE. 2024-09-09 16:00:10 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions. 2024-09-09 16:01:55 [NOTICE] [configure] Starting system configuration. 2024-09-09 16:02:36 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete. 2024-09-09 16:02:58 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete. 2024-09-09 16:03:39 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete. 2024-09-09 16:03:46 [NOTICE] [configure] 1000 configuration steps out of 1568 steps complete. 2024-09-09 16:04:08 [NOTICE] [configure] 1250 configuration steps out of 1568 steps complete. 2024-09-09 16:04:15 [ERROR ] [configure] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:04:15 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 16:05:37 [NOTICE] [configure] 1500 configuration steps out of 1568 steps complete. 2024-09-09 16:05:55 [NOTICE] [configure] System configuration has finished. Error 1: Puppet Exec resource 'foreman-rake-db:migrate' failed. Logs: /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate] Adding autorequire relationship with User[foreman] Starting to evaluate the resource (1327 of 1568) Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] Evaluated in 1.72 seconds Exec[foreman-rake-db:migrate](provider=posix) Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) 1 error was detected during installation. Please address the errors and re-run the installer to ensure the system is properly configured. Failing to do so is likely to result in broken functionality. The full log is at /var/log/foreman-installer/satellite.log Package versions are being locked.
audit.log shows this i.e.
node=localhost.localdomain type=CRED_ACQ msg=audit(1725878245.395:119439): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=USER_START msg=audit(1725878245.398:119440): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.349:119441): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0 node=localhost.localdomain type=SYSCALL msg=audit(1725878246.349:119441): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman" node=localhost.localdomain type=CWD msg=audit(1725878246.349:119441): cwd="/usr/share/foreman" node=localhost.localdomain type=PATH msg=audit(1725878246.349:119441): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.349:119441): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365 node=localhost.localdomain type=FANOTIFY msg=audit(1725878246.350:119442): resp=2 fan_type=1 fan_info=D subj_trust=2 obj_trust=0 node=localhost.localdomain type=SYSCALL msg=audit(1725878246.350:119442): arch=c000003e syscall=257 success=no exit=-1 a0=ffffff9c a1=5594ff3c2f40 a2=80800 a3=0 items=1 ppid=37738 pid=37739 auid=0 uid=984 gid=984 euid=984 suid=984 fsuid=984 egid=984 sgid=984 fsgid=984 tty=(none) ses=1 comm="rake" exe="/usr/bin/ruby" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=openat AUID="root" UID="foreman" GID="foreman" EUID="foreman" SUID="foreman" FSUID="foreman" EGID="foreman" SGID="foreman" FSGID="foreman" node=localhost.localdomain type=CWD msg=audit(1725878246.350:119442): cwd="/usr/share/foreman" node=localhost.localdomain type=PATH msg=audit(1725878246.350:119442): item=0 name="/usr/share/foreman/Rakefile" inode=353494 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost.localdomain type=PROCTITLE msg=audit(1725878246.350:119442): proctitle=2F7573722F62696E2F72756279002F7573722F62696E2F72616B650064623A6D696772617465002D2D7472616365 node=localhost.localdomain type=USER_END msg=audit(1725878246.354:119443): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_systemd,pam_keyinit,pam_limits,pam_unix acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root" node=localhost.localdomain type=CRED_DISP msg=audit(1725878246.354:119444): pid=37738 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_rootok acct="foreman" exe="/usr/sbin/runuser" hostname=satellite616.lab.example.com addr=? terminal=pts/0 res=success'UID="root" AUID="root"
Step 4:
[root@satellite616 ~]# systemctl stop fapolicyd
[root@satellite616 ~]# foreman-rake db:migrate --trace
** Invoke db:migrate (first_time)
** Invoke db:load_config (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute db:load_config
** Invoke plugin:refresh_migrations (first_time)
** Invoke environment
** Execute plugin:refresh_migrations
** Execute db:migrate
== 20090714132448 CreateHosts: migrating ======================================
-- create_table(:hosts, {:id=>:integer})
-> 0.0322s
-- add_index(:hosts, :source_file_id)
-> 0.0141s
..
..
..
== 20240729192228 AddConvert2rhelToHostFacets: migrating ======================
-- add_column(:katello_subscription_facets, :convert2rhel_through_foreman, :int4)
-> 0.0004s
== 20240729192228 AddConvert2rhelToHostFacets: migrated (0.0005s) =============
** Invoke db:_dump (first_time)
** Execute db:_dump
** Invoke dynflow:migrate (first_time)
** Invoke environment
** Execute dynflow:migrate
[root@satellite616 ~]# satellite-installer --scenario satellite --foreman-initial-organization "RedHat" --foreman-initial-location "GSS" --foreman-initial-admin-username admin --foreman-initial-admin-password RedHat1! --tuning development
2024-09-09 16:10:52 [NOTICE] [root] Loading installer configuration. This will take some time.
2024-09-09 16:10:55 [NOTICE] [root] Running installer with log based terminal output at level NOTICE.
2024-09-09 16:10:55 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions.
Package versions are locked. Continuing with unlock.
2024-09-09 16:11:03 [NOTICE] [configure] Starting system configuration.
2024-09-09 16:11:11 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete.
2024-09-09 16:11:12 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete.
2024-09-09 16:11:13 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete.
2024-09-09 16:11:13 [NOTICE] [configure] 1000 configuration steps out of 1549 steps complete.
2024-09-09 16:11:14 [NOTICE] [configure] 1250 configuration steps out of 1549 steps complete.
2024-09-09 16:13:35 [NOTICE] [configure] 1500 configuration steps out of 1549 steps complete.
2024-09-09 16:13:37 [NOTICE] [configure] System configuration has finished.
Success!
* Satellite is running at https://satellite616.lab.example.com
Initial credentials are admin / RedHat1!
* To install an additional Capsule on separate machine continue by running:
capsule-certs-generate --foreman-proxy-fqdn "$CAPSULE" --certs-tar "/root/$CAPSULE-certs.tar"
* Capsule is running at https://satellite616.lab.example.com:9090
The full log is at /var/log/foreman-installer/satellite.log
Package versions are being locked.
Expected behavior:
It should work fine without disabling fapolicyd
Business Impact / Additional info:
High as many organizations rely on STIG`ing their OS but fapolicyd seems to be blocking the installation here.
- is cloned by
-
-
- Closed
-
- links to
-
RHBA-2024:140284
Important: Satellite 6.16.0 release
[SAT-27834] Unable to install Satellite on a STIG'ed RHEL 8.10 OS having fapolicyd running
Pinned comments
Jameer Pathan
added a comment - Workaround for the issue: Restart fapolicyd (systemctl restart fapolicyd).
All comments
Workaround for the issue: Restart fapolicyd (systemctl restart fapolicyd).
Jameer Pathan
added a comment - Workaround for the issue: Restart fapolicyd (systemctl restart fapolicyd). All comments
Jameer Pathan
added a comment - Verified that Satellite 6.16.0 snap 7.0 was successfully installed on Fapolicyd-enabled RHEL 8.10
Jameer Pathan
added a comment - Verified that Satellite 6.16.0 snap 7.0 was successfully installed on Fapolicyd-enabled RHEL 8.10 Workaround for the issue: Restart fapolicyd (systemctl restart fapolicyd).
Jameer Pathan
added a comment - Workaround for the issue: Restart fapolicyd (systemctl restart fapolicyd). (ignore the capsule616 name, that is, in this case, a satellite only)
Without STIG but just fapolicyd installed and enabled:
[root@capsule616 ~]# satellite-installer --scenario satellite \ > --foreman-initial-organization "RedHat" \ > --foreman-initial-location "GSS" \ > --foreman-initial-admin-username admin \ > --foreman-initial-admin-password RedHat1! --tuning development 2024-09-09 17:09:25 [NOTICE] [root] Loading installer configuration. This will take some time. 2024-09-09 17:09:29 [NOTICE] [root] Running installer with log based terminal output at level NOTICE. 2024-09-09 17:09:29 [NOTICE] [root] Use -l to set the terminal output log level to ERROR, WARN, NOTICE, INFO, or DEBUG. See --full-help for definitions. 2024-09-09 17:10:55 [NOTICE] [configure] Starting system configuration. 2024-09-09 17:11:31 [NOTICE] [configure] 250 configuration steps out of 1539 steps complete. 2024-09-09 17:11:46 [NOTICE] [configure] 500 configuration steps out of 1541 steps complete. 2024-09-09 17:12:25 [NOTICE] [configure] 750 configuration steps out of 1543 steps complete. 2024-09-09 17:12:30 [NOTICE] [configure] 1000 configuration steps out of 1568 steps complete. 2024-09-09 17:12:53 [NOTICE] [configure] 1250 configuration steps out of 1568 steps complete. 2024-09-09 17:13:02 [ERROR ] [configure] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 17:13:02 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns: change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 17:13:02 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 17:13:02 [ERROR ] [configure] /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] 2024-09-09 17:14:20 [NOTICE] [configure] 1500 configuration steps out of 1568 steps complete. 2024-09-09 17:14:31 [NOTICE] [configure] System configuration has finished. Error 1: Puppet Exec resource 'foreman-rake-db:migrate' failed. Logs: /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate] Adding autorequire relationship with User[foreman] Starting to evaluate the resource (1327 of 1568) Failed to call refresh: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] Evaluated in 1.78 seconds Exec[foreman-rake-db:migrate](provider=posix) Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' Executing check '/usr/sbin/foreman-rake db:abort_if_pending_migrations' Executing '/usr/sbin/foreman-rake db:migrate' /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/unless rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) /Stage[main]/Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate]/returns rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) change from 'notrun' to ['0'] failed: '/usr/sbin/foreman-rake db:migrate' returned 1 instead of one of [0] rake aborted! LoadError: cannot load such file -- /usr/share/foreman/Rakefile /usr/share/gems/gems/rake-13.0.1/exe/rake:27:in `<top (required)>' (See full trace by running task with --trace) 1 error was detected during installation. Please address the errors and re-run the installer to ensure the system is properly configured. Failing to do so is likely to result in broken functionality. The full log is at /var/log/foreman-installer/satellite.log Package versions are being locked.
# systemctl status fapolicyd ● fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2024-09-09 17:02:18 IST; 19min ago Docs: man:fapolicyd(8) Main PID: 6581 (fapolicyd) Tasks: 4 (limit: 95821) Memory: 209.7M CGroup: /system.slice/fapolicyd.service └─6581 /usr/sbin/fapolicyd Sep 09 17:13:11 capsule616.lab.example.com fapolicyd[6581]: Loading trust data from rpmdb backend Sep 09 17:13:11 capsule616.lab.example.com fapolicyd[6581]: Loading trust data from file backend Sep 09 17:13:11 capsule616.lab.example.com fapolicyd[6581]: Updated Sep 09 17:14:27 capsule616.lab.example.com fapolicyd[6581]: It looks like there was an update of the system... Syncing DB. Sep 09 17:14:27 capsule616.lab.example.com fapolicyd[6581]: Loading rpmdb backend Sep 09 17:14:28 capsule616.lab.example.com fapolicyd[6581]: Updating trust database Sep 09 17:14:28 capsule616.lab.example.com fapolicyd[6581]: Creating trust database Sep 09 17:14:28 capsule616.lab.example.com fapolicyd[6581]: Loading trust data from rpmdb backend Sep 09 17:14:28 capsule616.lab.example.com fapolicyd[6581]: Loading trust data from file backend Sep 09 17:14:28 capsule616.lab.example.com fapolicyd[6581]: Updated
I am able to reproduce the exact same issue without DISA STIG applied but with just fapolicyd installed + running ( before satellite was installed ). I will collect a sosreport and upload on this Jira again..
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Critical: Satellite 6.16.0 release), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:8906