Actions
Bug #12990
closed
Unable to use symlinks in puppet environments (hieradata)
Description
OS: CentOS 7.2
Version: foreman-selinux-1.10.0-1.el7.noarch
Symbolic links in the hieradata directory (and potentially elsewhere) are not readable.
Audit Log output:
type=AVC msg=audit(1451973008.032:53171): avc: denied { read } for pid=12880 comm="ruby" name="somelink.yaml" dev="vda1" ino=400291 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=lnk_file
Workaround puppetlinks.te...
#============= passenger_t ============== allow passenger_t puppet_etc_t:lnk_file read;
Suggested fix:
in foreman.te, in the `passenger_run_puppetmaster` ...
read_lnk_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)
Currently around: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L248
Updated by Lukas Zapletal almost 9 years ago
- Subject changed from unable to use symlinks in puppet environments (hieradata) to Unable to use symlinks in puppet environments (hieradata)
- Category set to Smart proxy
Puppet policy is part of SELinux Core Policy and Fedora Core Policy. You should report there, we only carry some workarounds for old platforms like RHEL 6.
Anyway, I filed a PR to workaround this issue.
Updated by Lukas Zapletal almost 9 years ago
Oh wait you said passenger, you're at the good place then ;-)
Updated by The Foreman Bot almost 9 years ago
- Status changed from New to Ready For Testing
- Assignee set to Lukas Zapletal
- Pull request https://github.com/theforeman/foreman-selinux/pull/54 added
Updated by Dominic Cleal almost 9 years ago
- Translation missing: en.field_release set to 104
Updated by Anonymous almost 9 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset d0b68b3992d14f019574232ab8031bb3c06bb7d5.
Actions