Project

General

Custom queries

Profile

Actions
Copy link

Bug #12990

closed

Unable to use symlinks in puppet environments (hieradata)

Added by Tommy McNeely over 9 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Smart proxy
Target version:
1.10.1
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-selinux/pull/54
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

OS: CentOS 7.2
Version: foreman-selinux-1.10.0-1.el7.noarch

Symbolic links in the hieradata directory (and potentially elsewhere) are not readable.

Audit Log output:

type=AVC msg=audit(1451973008.032:53171): avc:  denied  { read } for  pid=12880 comm="ruby" name="somelink.yaml" dev="vda1" ino=400291 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=lnk_file

Workaround puppetlinks.te...

#============= passenger_t ==============
allow passenger_t puppet_etc_t:lnk_file read;

Suggested fix:

in foreman.te, in the `passenger_run_puppetmaster` ...

read_lnk_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)

Currently around: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L248

Actions
Copy link
 #1

Updated by Lukas Zapletal over 9 years ago

  • Subject changed from unable to use symlinks in puppet environments (hieradata) to Unable to use symlinks in puppet environments (hieradata)
  • Category set to Smart proxy

Puppet policy is part of SELinux Core Policy and Fedora Core Policy. You should report there, we only carry some workarounds for old platforms like RHEL 6.

Anyway, I filed a PR to workaround this issue.

Actions
Copy link
 #2

Updated by Lukas Zapletal over 9 years ago

Oh wait you said passenger, you're at the good place then ;-)

Actions
Copy link
 #5

Updated by Anonymous over 9 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF