Project

General

Profile

Bug #12990

Unable to use symlinks in puppet environments (hieradata)

Added by Tommy McNeely over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Smart proxy
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

OS: CentOS 7.2
Version: foreman-selinux-1.10.0-1.el7.noarch

Symbolic links in the hieradata directory (and potentially elsewhere) are not readable.

Audit Log output:

type=AVC msg=audit(1451973008.032:53171): avc:  denied  { read } for  pid=12880 comm="ruby" name="somelink.yaml" dev="vda1" ino=400291 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=lnk_file

Workaround puppetlinks.te...

#============= passenger_t ==============
allow passenger_t puppet_etc_t:lnk_file read;

Suggested fix:

in foreman.te, in the `passenger_run_puppetmaster` ...

read_lnk_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)

Currently around: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L248

Associated revisions

Revision d0b68b39 (diff)
Added by Lukas Zapletal over 3 years ago

Fixes #12990 - allow reading of puppet symlinks

History

#1 Updated by Lukas Zapletal over 3 years ago

  • Subject changed from unable to use symlinks in puppet environments (hieradata) to Unable to use symlinks in puppet environments (hieradata)
  • Category set to Smart proxy

Puppet policy is part of SELinux Core Policy and Fedora Core Policy. You should report there, we only carry some workarounds for old platforms like RHEL 6.

Anyway, I filed a PR to workaround this issue.

#2 Updated by Lukas Zapletal over 3 years ago

Oh wait you said passenger, you're at the good place then ;-)

#3 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Pull request https://github.com/theforeman/foreman-selinux/pull/54 added

#4 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) set to 104

#5 Updated by Anonymous over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF