Bug #12990: Unable to use symlinks in puppet environments (hieradata) - SELinux - Foreman

Actions

Copy link

Bug #12990

closed

Unable to use symlinks in puppet environments (hieradata)

Added by Tommy McNeely over 8 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Lukas Zapletal

Category:

Smart proxy

Target version:

1.10.1

Difficulty:

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman-selinux/pull/54

Fixed in Releases:

Found in Releases:

Red Hat JIRA:

Description

OS: CentOS 7.2
Version: foreman-selinux-1.10.0-1.el7.noarch

Symbolic links in the hieradata directory (and potentially elsewhere) are not readable.

Audit Log output:

type=AVC msg=audit(1451973008.032:53171): avc:  denied  { read } for  pid=12880 comm="ruby" name="somelink.yaml" dev="vda1" ino=400291 scontext=system_u:system_r:passenger_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=lnk_file

Workaround puppetlinks.te...

#============= passenger_t ==============
allow passenger_t puppet_etc_t:lnk_file read;

Suggested fix:

in foreman.te, in the `passenger_run_puppetmaster` ...

read_lnk_files_pattern(httpd_t, puppet_etc_t, puppet_etc_t)

Currently around: https://github.com/theforeman/foreman-selinux/blob/develop/foreman.te#L248

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Foreman » SELinux

Custom queries

Bug #12990

Unable to use symlinks in puppet environments (hieradata)

Updated by Lukas Zapletal over 8 years ago

Updated by Lukas Zapletal over 8 years ago

Updated by The Foreman Bot over 8 years ago

Updated by Dominic Cleal over 8 years ago

Updated by Anonymous over 8 years ago