Actions
Issue #2206
closed
SELinux denials when puppet distributor writing to Puppet 4 AIO directories
Status:
CLOSED - NOTABUG
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.9.1
Platform Release:
OS:
CentOS 7
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
In Puppet 4, the module directories have moved to /etc/puppetlabs/code/environments and these directories are not handled by selinux-policy-targeted like Puppet 3 is, so they have the default context etc_t.
When Katello goes to publish a puppet environment, we get selinux denails:
type=AVC msg=audit(1472066646.325:1365): avc: denied { write } for pid=28236 comm="celery" name="environments" dev="vda3" ino=268419 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Because the pulp-selinux policty only allows celery_t access to etc_puppet_t.
I'm not sure if the right approach is to update the pulp policy to allow access to etc_t or get Red Hat to update selinux-policy-targeted for puppet 4 aio.
Actions
.