Bug #25783

Websockify - no selinux read for etc_puppet_t

Added by Ben Meekhof over 2 years ago. Updated over 2 years ago.

General Foreman
Target version:
Bugzilla link:


When trying to use foreman console / websockify with recent version of puppet I get an SElinux denial trying to read the puppet ssl certificates in /etc/puppetlabs/puppet/ssl.

From what I can tell the foreman selinux policy for websockify includes a read files pattern for puppet_var_lib_t:
read_files_pattern(websockify_t, puppet_var_lib_t, puppet_var_lib_t)

...but puppet 5 uses /etc/puppetlabs/puppet/ssl directory with type puppet_etc_t and so we get this denial:

avc:  denied  { open } for  pid=1849031 comm="" path="/etc/puppetlabs/puppet/ssl/certs/mycert.pem" dev="dm-0" ino=53945623 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1

Would the fix be as simple as adding a line like 'read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)' ? If so I could easily make that PR. Just want to verify I'm not misunderstanding the issue first.

Associated revisions

Revision b9092c17 (diff)
Added by Ben Meekhof over 2 years ago

Fixes #25783: Allow websockify to read puppet_etc_t


#1 Updated by Ben Meekhof over 2 years ago

Small follow-up: I found that an additional selinux allowance was needed to fix the problem in my case. So the local policy change I made to fix the problem was:

require {
type puppet_etc_t;
type websockify_t;
class file { getattr open read };
class dir search;
allow websockify_t puppet_etc_t:dir search;
allow websockify_t puppet_etc_t:file { getattr open read };

Which I think works out to the macro pattern (just following existing var/lib example):

read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)

#2 Updated by Lukas Zapletal over 2 years ago

  • Triaged changed from No to Yes
  • Category set to General Foreman

That is a correct fix, please proceed. Thanks!

#3 Updated by The Foreman Bot over 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request added

#4 Updated by Anonymous over 2 years ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Tomer Brisker over 2 years ago

  • Fixed in Releases 1.21.0 added

Also available in: Atom PDF