Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-35236

ForemanInventoryUpload::Async::GenerateReportJob triggers several selinux denials

XMLWordPrintable

    • False
    • Moderate
    • sat-proton
    • None
    • None
    • None
    • None

      Environment:

      Red Hat Satellite 6.18.0 ( stream 106 )

       

      Steps:

      • install satellite
      • Have some hosts connected with it
      • Insights --> Inventory Upload --> Expand the Organization and then click on "Generate and Upload report"
      • Monitor /var/log/messages or audit.log

       

      Results:

      • The task successfully completed
      • But several selinux errors w.r.t tar command used to generate the archive 

       

       

      ==> /var/log/messages <==
Jun 18 20:37:46 satellite618 SetroubleshootPrivileged.py[36232]: failed to retrieve rpm info for path '/var/lib/selinux/targeted/active/modules/400/foreman':
Jun 18 20:37:46 satellite618 setroubleshoot[36217]: SELinux is preventing /usr/bin/tar from read access on the directory userdb. For complete SELinux messages run: sealert -l 38886a8e-b77c-440a-be6c-609eba9e432b
Jun 18 20:37:46 satellite618 setroubleshoot[36217]: SELinux is preventing /usr/bin/tar from read access on the directory userdb.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that tar should be allowed read access on the userdb directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'tar' --raw | audit2allow -M my-tar#012# semodule -X 300 -i my-tar.pp#012
Jun 18 20:37:46 satellite618 setroubleshoot[36217]: SELinux is preventing /usr/bin/tar from read access on the directory userdb. For complete SELinux messages run: sealert -l 38886a8e-b77c-440a-be6c-609eba9e432b
Jun 18 20:37:46 satellite618 setroubleshoot[36217]: SELinux is preventing /usr/bin/tar from read access on the directory userdb.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that tar should be allowed read access on the userdb directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'tar' --raw | audit2allow -M my-tar#012# semodule -X 300 -i my-tar.pp#012
==> /var/log/audit/audit.log
type=AVC msg=audit(1750259266.122:3468): avc:  denied  { read } for  pid=36214 comm="tar" name="userdb" dev="tmpfs" ino=40 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1750259266.122:3469): avc:  denied  { read } for  pid=36214 comm="tar" name="userdb" dev="tmpfs" ino=40 scontext=system_u:system_r:foreman_rails_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0

       

       

      Expected Results:

      No such selinux denials

              Unassigned Unassigned
              rhn-support-saydas Sayan Das
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: