Bug #25783
closed
Websockify - no selinux read for etc_puppet_t
Description
When trying to use foreman console / websockify with recent version of puppet I get an SElinux denial trying to read the puppet ssl certificates in /etc/puppetlabs/puppet/ssl.
From what I can tell the foreman selinux policy for websockify includes a read files pattern for puppet_var_lib_t:
read_files_pattern(websockify_t, puppet_var_lib_t, puppet_var_lib_t)
...but puppet 5 uses /etc/puppetlabs/puppet/ssl directory with type puppet_etc_t and so we get this denial:
avc: denied { open } for pid=1849031 comm="websockify.py" path="/etc/puppetlabs/puppet/ssl/certs/mycert.pem" dev="dm-0" ino=53945623 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1Would the fix be as simple as adding a line like 'read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)' ? If so I could easily make that PR. Just want to verify I'm not misunderstanding the issue first.
Updated by Ben Meekhof almost 6 years ago
Small follow-up: I found that an additional selinux allowance was needed to fix the problem in my case. So the local policy change I made to fix the problem was:
require {
type puppet_etc_t;
type websockify_t;
class file { getattr open read };
class dir search;
}
allow websockify_t puppet_etc_t:dir search;
allow websockify_t puppet_etc_t:file { getattr open read };
Which I think works out to the macro pattern (just following existing var/lib example):
files_search_etc(websockify_t)
read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)
Updated by Lukas Zapletal almost 6 years ago
- Category set to General Foreman
- Triaged changed from No to Yes
That is a correct fix, please proceed. Thanks!
Updated by The Foreman Bot almost 6 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman-selinux/pull/87 added
Updated by Anonymous almost 6 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset b9092c17c713811f0952bb7e61309957f63038ee.
Updated by