Bug #6014

AVC denials from Puppet under Passenger on Foreman 1.6 on EL7

Added by Dominic Cleal over 3 years ago. Updated over 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Lukas Zapletal
Category:-
Target version:Foreman - Sprint 27
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-
Release1.6.0Release relationshipAuto

Description

foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch
mod_passenger-4.0.18-9.5.el7.x86_64
puppet-3.6.0-1.el7.noarch
redhat-release-server-7.0-0.5.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch
selinux-policy-targeted-3.12.1-153.el7.noarch

type=AVC msg=audit(1401722841.555:184): avc:  denied  { getattr } for  pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1401722841.555:184): avc:  denied  { getattr } for  pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1401722842.836:186): avc:  denied  { read open } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.836:186): avc:  denied  { read open } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:187): avc:  denied  { getattr } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:188): avc:  denied  { ioctl } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:187): avc:  denied  { getattr } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:188): avc:  denied  { ioctl } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
require {
    type httpd_t;
    type foreman_enc_t;
    type puppet_etc_t;
    type passenger_t;
    class file { read getattr open ioctl };
}

#============= httpd_t ==============
allow httpd_t puppet_etc_t:file getattr;

#============= passenger_t ==============
allow passenger_t foreman_enc_t:file { read getattr open ioctl };

Related issues

Related to SELinux - Bug #6013: AVC denials from Passenger on Foreman 1.6 on EL7 Closed 06/02/2014
Blocks Foreman - Tracker #4447: Support installation on RHEL 7 Closed 02/25/2014

Associated revisions

Revision 7a59c903
Added by Lukas Zapletal over 3 years ago

Fixes #6013, #6014, #6979 - changes for RHEL7

History

#1 Updated by Dominic Cleal over 3 years ago

#2 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #6013: AVC denials from Passenger on Foreman 1.6 on EL7 added

#3 Updated by Dominic Cleal over 3 years ago

  • Release set to 1.6.0

#4 Updated by Ohad Levy over 3 years ago

  • Target version set to Sprint 27

#5 Updated by Lukas Zapletal over 3 years ago

  • Status changed from New to Ready For Testing
  • Assigned To set to Lukas Zapletal

These can be safely added, for some reason Puppet reads the ENC script. Different puppet in RHEL7 I guess. Allowed.

https://github.com/theforeman/foreman-selinux/pull/26

#6 Updated by Anonymous over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF