Project

General

Custom queries

Profile

Actions
Copy link

Bug #25783

closed

Websockify - no selinux read for etc_puppet_t

Added by Ben Meekhof over 6 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
General Foreman
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-selinux/pull/87
Fixed in Releases:
Foreman - 1.21.0
Found in Releases:
Foreman - 1.20.1
Red Hat JIRA:

Description

When trying to use foreman console / websockify with recent version of puppet I get an SElinux denial trying to read the puppet ssl certificates in /etc/puppetlabs/puppet/ssl.

From what I can tell the foreman selinux policy for websockify includes a read files pattern for puppet_var_lib_t:
read_files_pattern(websockify_t, puppet_var_lib_t, puppet_var_lib_t)

...but puppet 5 uses /etc/puppetlabs/puppet/ssl directory with type puppet_etc_t and so we get this denial:

avc:  denied  { open } for  pid=1849031 comm="websockify.py" path="/etc/puppetlabs/puppet/ssl/certs/mycert.pem" dev="dm-0" ino=53945623 scontext=system_u:system_r:websockify_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file permissive=1

Would the fix be as simple as adding a line like 'read_files_pattern(websockify_t, puppet_etc_t, puppet_etc_t)' ? If so I could easily make that PR. Just want to verify I'm not misunderstanding the issue first.

#2

Updated by Lukas Zapletal over 6 years ago

  • Category set to General Foreman
  • Triaged changed from No to Yes
#3

Updated by The Foreman Bot over 6 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-selinux/pull/87 added
#4

Updated by Anonymous over 6 years ago

  • Status changed from Ready For Testing to Closed
#5

Updated by Tomer Brisker over 6 years ago

  • Fixed in Releases 1.21.0 added
Actions
Copy link

Also available in: Atom PDF