Issue #2206
closed
SELinux denials when puppet distributor writing to Puppet 4 AIO directories
Description
In Puppet 4, the module directories have moved to /etc/puppetlabs/code/environments and these directories are not handled by selinux-policy-targeted like Puppet 3 is, so they have the default context etc_t.
When Katello goes to publish a puppet environment, we get selinux denails:
type=AVC msg=audit(1472066646.325:1365): avc: denied { write } for pid=28236 comm="celery" name="environments" dev="vda3" ino=268419 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Because the pulp-selinux policty only allows celery_t access to etc_puppet_t.
I'm not sure if the right approach is to update the pulp policy to allow access to etc_t or get Red Hat to update selinux-policy-targeted for puppet 4 aio.
Updated by stbenjam over 7 years ago
I filed a bugzilla against the selinux targeted policy: https://bugzilla.redhat.com/show_bug.cgi?id=1369938
Updated by bmbouter over 7 years ago
We should not allow celery_t to write to etc_t. I recommend relabeling the directory Pulp is installing puppet modules into to have the expected etc_puppet_t label. Filing the bug against the selinux targeted policy sounds like the best way to have that happen when the directory is a typical location for Puppet 4 AIO. The label could be applied in another policy (not pulp) as a near-term workaround.
FYI, you will also need to enable the puppet_manage_puppet selinux boolean[0] provided by the pulp SELinux policy.
I won't be here at triage, but I recommend closing as notabug.
Updated by amacdona@redhat.com over 7 years ago
- Status changed from NEW to CLOSED - NOTABUG
.