Project

General

Profile

Bug #25783

Websockify - no selinux read for etc_puppet_t

Added by Ben Meekhof 3 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
General Foreman
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When trying to use foreman console / websockify with recent version of puppet I get an SElinux denial trying to read the puppet ssl certificates in /etc/puppetlabs/puppet/ssl.

From what I can tell the foreman selinux policy for websockify includes a read files pattern for puppet_var_lib_t:
read_files_pattern(websockify_t, puppet_var_lib_t, puppet_var_lib_t)

...but puppet 5 uses /etc/puppetlabs/puppet/ssl directory with type puppet_etc_t and so we get this denial:

avc:  denied  { open } for  pid=1849031 comm="websockify.py" path="/etc/puppetlabs/puppet/ssl/certs/mycert.pem" dev="dm-0" ino=53945623 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1

Would the fix be as simple as adding a line like 'read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)' ? If so I could easily make that PR. Just want to verify I'm not misunderstanding the issue first.

Associated revisions

Revision b9092c17 (diff)
Added by Ben Meekhof 3 months ago

Fixes #25783: Allow websockify to read puppet_etc_t

History

#1 Updated by Ben Meekhof 3 months ago

Small follow-up: I found that an additional selinux allowance was needed to fix the problem in my case. So the local policy change I made to fix the problem was:

require {
type puppet_etc_t;
type websockify_t;
class file { getattr open read };
class dir search;
}
allow websockify_t puppet_etc_t:dir search;
allow websockify_t puppet_etc_t:file { getattr open read };

Which I think works out to the macro pattern (just following existing var/lib example):

files_search_etc(websockify_t)
read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)

#2 Updated by Lukas Zapletal 3 months ago

  • Triaged changed from No to Yes
  • Category set to General Foreman

That is a correct fix, please proceed. Thanks!

#3 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/87 added

#4 Updated by Anonymous 3 months ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Tomer Brisker 2 months ago

  • Fixed in Releases 1.21.0 added

Also available in: Atom PDF