Project

General

Profile

Bug #12991

puppetdb connectivity should be allowed by passengr_run_puppetmaster

Added by Tommy McNeely over 4 years ago. Updated about 1 month ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

I suppose it could be an "additional" sebool, but as far as I am concerned, its part of running a puppet master, so as part of passenger_run_puppetmaster, connectivity to port 8081/tcp (default) should be allowed. I suppose that would involve creating a puppetdb_port_t or something?

As a workaround, you can allow passenger to connect to anything (passenger_can_connect_all)


Related issues

Has duplicate SELinux - Bug #16382: SELinux Preventing Host DeletionDuplicate2016-08-30

History

#1 Updated by Dominic Cleal almost 4 years ago

  • Has duplicate Bug #16382: SELinux Preventing Host Deletion added

#2 Updated by Lukas Zapletal about 1 month ago

  • Status changed from New to Rejected

We have this in the policy:

```
  1. Connecting to puppet server
    optional_policy(`
    tunable_policy(`foreman_rails_can_connect_puppetmaster', `
    corenet_tcp_connect_puppet_port(foreman_rails_t)
    ')
    ')
    ```

The macro is defined in RHEL policy, file a BZ there if you want the port to be added there.

Also available in: Atom PDF