Project

General

Profile

Actions
Copy link

Bug #37999

closed

allow smart-proxy with PuppetCA to read some etc files

Added by PopiBrossard please_edit_me 4 months ago. Updated 2 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Smart proxy
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman-selinux/pull/168
Fixed in Releases:
Foreman - 3.14.0
Found in Releases:
Red Hat JIRA:

Description

Dear maintainer,
The current foreman-proxy SELinux policy isn't working when trying to use the PuppetCA feature. The proxy tries to read some files in /etc/foreman-proxy but is not allowed:

type=AVC msg=audit(1721979897.417:100790): avc:  denied  { read } for  pid=731469 comm="smart-proxy" name="puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100790): avc:  denied  { open } for  pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100791): avc:  denied  { ioctl } for  pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 ioctlcmd=0x5401 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100792): avc:  denied  { getattr } for  pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1

See https://github.com/theforeman/foreman-selinux/pull/168 for my proposition of fix.

Actions
Copy link
 #1

Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
Actions
Copy link
 #2

Updated by The Foreman Bot about 1 month ago

  • Fixed in Releases 3.14.0 added
Actions
Copy link
 #3

Updated by PopiBrossard please_edit_me about 1 month ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #4

Updated by Ewoud Kohl van Wijngaarden 2 days ago

  • Category set to Smart proxy
  • Triaged changed from No to Yes
Actions
Copy link

Also available in: Atom PDF