Actions
Bug #6014
closedAVC denials from Puppet under Passenger on Foreman 1.6 on EL7
Description
foreman-selinux-1.6.0-0.develop.201405301314git8ad6a63.el7.noarch
mod_passenger-4.0.18-9.5.el7.x86_64
puppet-3.6.0-1.el7.noarch
redhat-release-server-7.0-0.5.el7.x86_64
selinux-policy-3.12.1-153.el7.noarch
selinux-policy-targeted-3.12.1-153.el7.noarch
type=AVC msg=audit(1401722841.555:184): avc: denied { getattr } for pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file type=AVC msg=audit(1401722841.555:184): avc: denied { getattr } for pid=6411 comm="httpd" path="/etc/puppet/rack/config.ru" dev="vda1" ino=872026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=file type=AVC msg=audit(1401722842.836:186): avc: denied { read open } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file type=AVC msg=audit(1401722842.836:186): avc: denied { read open } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file type=AVC msg=audit(1401722842.873:187): avc: denied { getattr } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file type=AVC msg=audit(1401722842.873:188): avc: denied { ioctl } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file type=AVC msg=audit(1401722842.873:187): avc: denied { getattr } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file type=AVC msg=audit(1401722842.873:188): avc: denied { ioctl } for pid=6514 comm="ruby" path="/etc/puppet/node.rb" dev="vda1" ino=8422725 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:foreman_enc_t:s0 tclass=file
require { type httpd_t; type foreman_enc_t; type puppet_etc_t; type passenger_t; class file { read getattr open ioctl }; } #============= httpd_t ============== allow httpd_t puppet_etc_t:file getattr; #============= passenger_t ============== allow passenger_t foreman_enc_t:file { read getattr open ioctl };
Updated by Dominic Cleal over 10 years ago
- Blocks Tracker #4447: Support installation on RHEL 7 added
Updated by Dominic Cleal over 10 years ago
- Related to Bug #6013: AVC denials from Passenger on Foreman 1.6 on EL7 added
Updated by Dominic Cleal over 10 years ago
- Translation missing: en.field_release set to 10
Updated by Lukas Zapletal about 10 years ago
- Status changed from New to Ready For Testing
- Assignee set to Lukas Zapletal
These can be safely added, for some reason Puppet reads the ENC script. Different puppet in RHEL7 I guess. Allowed.
Updated by Anonymous about 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 7a59c90304ef32a67457a8071bbda07d161b6236.
Actions