I am new to selinux so sorry for my newbie question. Maybe someone could help with this case or just tell where I could try to find some informations to solve this issue.
I'm using Foreman on CentOS host (release 7.6.1810). I have configured foreman_hooks plugin to trigger some actions after provisioning hosts. Script that is trigerred is simple, I just need to send a text file (label template) over ftp to label printer. However when I execute bash script with same commands then it works. When I try to automate it with foreman_hooks then i got 'ftp: connect: Permission denied'. Foreman_hook script is executed by foreman user, not root.
My foreman hook script is as follow:
Code: Select all
# event name (create, before_destroy etc.)
# orchestration hooks must obey this to support rollbacks (create/update/destroy)
event=${HOOK_EVENT}
object=${HOOK_OBJECT}
# Example of using hook_data to query the JSON representation of the object
# passed by foreman_hooks. `cat $HOOK_OBJECT_FILE` to see the contents.
hostname=$(hook_data .host.name)
mac=$(hook_data .host.mac)
name=`echo ${hostname} | cut -f1 -d'.'`
frasid=`/usr/bin/wget --no-proxy --quiet --output-document=/usr/share/foreman/tmp/$name --no-check-certificate "https://my_url/fras/hotspot/get_id/?key=mac_sticker&value=$mac"`
HOST='10.28.89.152'
USER='ftpprint'
PASS='print'
fxnum=`cat /usr/share/foreman/tmp/${name}`
cat > /usr/share/foreman/tmp/FX${fxnum}.txt << EOT
m m
J
H 100
S l1;0,0,19,22,38
O R
T 8,7,0,3,2;Hotspot
T 6,9,0,3,2;support@hotspot.de
T 4,19,90,5,3;HOTSPOT
T 9,18,0,5,3;S/N:
T:SERIAL;17,18,0,5,3;FX${fxnum}
B 6,10,0,code39,5,0.25,2;[SERIAL]
A1
EOT
cd /usr/share/foreman/tmp/
/usr/bin/ftp -ni << EOF
open $HOST
user $USER $PASS
bin
mput FX${fxnum}.txt
quit
EOF
rm -R /usr/share/foreman/tmp/$name
rm -R /usr/share/foreman/tmp/FX$fxnum.txt
Some logs to debug:
Code: Select all
[root@puppet ~]# ls -laZ /usr/share/foreman/config/hooks/host/managed/after_provision/
drwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0 .
drwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0 ..
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0 10_print_label.sh
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0 20_log.sh
-rwxr-xr-x. foreman foreman system_u:object_r:bin_t:s0 hook_functions.sh
Code: Select all
[root@puppet production]# aureport -a
435. 13.09.2019 16:06:16 ftp system_u:system_r:passenger_t:s0 42 tcp_socket name_connect system_u:object_r:ftp_port_t:s0 denied 7505
436. 13.09.2019 16:50:05 ftp system_u:system_r:passenger_t:s0 42 tcp_socket name_connect system_u:object_r:ftp_port_t:s0 denied 7552
Code: Select all
[root@puppet production]# ausearch -c 'ftp' --raw
type=PROCTITLE msg=audit(1568383472.309:7503): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568383544.496:7504): avc: denied { name_connect } for pid=11300 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568383544.496:7504): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=2354610 a2=10 a3=7ffe7cddf9a0 items=0 ppid=11282 pid=11300 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568383544.496:7504): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568383576.195:7505): avc: denied { name_connect } for pid=12042 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568383576.195:7505): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=11af610 a2=10 a3=7ffff6d62ba0 items=0 ppid=12024 pid=12042 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568383576.195:7505): proctitle=2F7573722F62696E2F667470002D6E69
type=AVC msg=audit(1568386205.243:7552): avc: denied { name_connect } for pid=25346 comm="ftp" dest=21 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1568386205.243:7552): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=c1c610 a2=10 a3=7ffc62bb4920 items=0 ppid=25344 pid=25346 auid=4294967295 uid=998 gid=995 euid=998 suid=998 fsuid=998 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="ftp" exe="/usr/bin/ftp" subj=system_u:system_r:passenger_t:s0 key=(null)
type=PROCTITLE msg=audit(1568386205.243:7552): proctitle=667470002D6E0031302E32382E38392E313532
Code: Select all
[root@puppet production]# grep -i hook /var/log/foreman/production.log
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename 20_log.sh
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename hook_functions.sh
2019-09-13T16:30:10 [D|app|] Found hook to Host::Managed#after_provision, filename 10_print_label.sh
2019-09-13T16:30:10 [I|app|] Finished discovering 3 hooks for Host::Managed#after_provision
2019-09-13T16:30:15 [D|app|] Extending Host::Managed with foreman_hooks Rails hooking support
2019-09-13T16:30:15 [D|app|] Created hook method after_provision on Host::Managed
2019-09-13T16:30:16 [D|app|] Extending Host::Managed with foreman_hooks Rails hooking support
2019-09-13T16:30:16 [D|app|] Created hook method after_provision on Host::Managed
2019-09-13T16:50:04 [D|app|8c1ce] custom hook before_provision on hotspot-1329601.frederix-hotspot.de will be executed if defined.
2019-09-13T16:50:04 [D|app|8c1ce] Observed after_provision hook on hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:04 [D|app|8c1ce] Running 3 hooks for Host::Managed#after_provision
2019-09-13T16:50:04 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/10_print_label.sh after_provision hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:05 [D|app|8c1ce] Hook output: ftp: connect: Permission denied
2019-09-13T16:50:05 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/20_log.sh after_provision hotspot-1329601.frederix-hotspot.de
2019-09-13T16:50:05 [D|app|8c1ce] Running hook: /usr/share/foreman/config/hooks/host/managed/after_provision/hook_functions.sh after_provision hotspot-1329601.frederix-hotspot.de