Project

General

Profile

Bug #6014

AVC denials from Puppet under Passenger on Foreman 1.6 on EL7

Added by Dominic Cleal about 4 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch
mod_passenger-4.0.18-9.5.el7.x86_64
puppet-3.6.0-1.el7.noarch
redhat-release-server-7.0-0.5.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch
selinux-policy-targeted-3.12.1-153.el7.noarch

type=AVC msg=audit(1401722841.555:184): avc:  denied  { getattr } for  pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1401722841.555:184): avc:  denied  { getattr } for  pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file
type=AVC msg=audit(1401722842.836:186): avc:  denied  { read open } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.836:186): avc:  denied  { read open } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:187): avc:  denied  { getattr } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:188): avc:  denied  { ioctl } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:187): avc:  denied  { getattr } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
type=AVC msg=audit(1401722842.873:188): avc:  denied  { ioctl } for  pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
require {
    type httpd_t;
    type foreman_enc_t;
    type puppet_etc_t;
    type passenger_t;
    class file { read getattr open ioctl };
}

#============= httpd_t ==============
allow httpd_t puppet_etc_t:file getattr;

#============= passenger_t ==============
allow passenger_t foreman_enc_t:file { read getattr open ioctl };

Related issues

Related to SELinux - Bug #6013: AVC denials from Passenger on Foreman 1.6 on EL7Closed2014-06-02
Blocks Foreman - Tracker #4447: Support installation on RHEL 7Closed2014-02-25

Associated revisions

Revision 7a59c903 (diff)
Added by Lukas Zapletal about 4 years ago

Fixes #6013, #6014, #6979 - changes for RHEL7

History

#1 Updated by Dominic Cleal about 4 years ago

#2 Updated by Dominic Cleal about 4 years ago

  • Related to Bug #6013: AVC denials from Passenger on Foreman 1.6 on EL7 added

#3 Updated by Dominic Cleal about 4 years ago

  • Legacy Backlogs Release (now unused) set to 10

#4 Updated by Ohad Levy about 4 years ago

  • Target version set to 1.7.5

#5 Updated by Lukas Zapletal about 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal

These can be safely added, for some reason Puppet reads the ENC script. Different puppet in RHEL7 I guess. Allowed.

https://github.com/theforeman/foreman-selinux/pull/26

#6 Updated by Anonymous about 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF