Actions
Bug #37999
closed
allow smart-proxy with PuppetCA to read some etc files
Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Smart proxy
Target version:
-
Difficulty:
Triaged:
Yes
Description
Dear maintainer,
The current foreman-proxy SELinux policy isn't working when trying to use the PuppetCA feature. The proxy tries to read some files in /etc/foreman-proxy but is not allowed:
type=AVC msg=audit(1721979897.417:100790): avc: denied { read } for pid=731469 comm="smart-proxy" name="puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100790): avc: denied { open } for pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100791): avc: denied { ioctl } for pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 ioctlcmd=0x5401 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1721979897.417:100792): avc: denied { getattr } for pid=731469 comm="smart-proxy" path="/etc/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml" dev="dm-0" ino=33791767 scontext=system_u:system_r:foreman_proxy_t:s0 tcontext=system_u:object_r:hostname_etc_t:s0 tclass=file permissive=1
See https://github.com/theforeman/foreman-selinux/pull/168 for my proposition of fix.
Updated by 
Updated by 
Updated by
Actions