[CentOS] puppet files denied by SELinux

Sat Jun 20 13:05:06 UTC 2015
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/06/15 05:25, Tim Dunphy wrote:
> Hey folks,
> 
> Ok so I'm having another issue with SELinux. However I think I'm
> pretty close to a solution and just need a nudge in the right
> directtion.
> 
> I wrote a puppet module that gets systems into bacula backups. Part
> of the formula is to distribute key/cert pairs with permissions
> that allow bacula to read them so that bacula can talk to the host
> over TLS. It's pretty slick, I must say!
> 
> However on adding some new hosts to bacula backups via puppet, I
> noticed that I was getting permission denied errors on the keypairs
> on the client hosts.
> 
> In my audit logs I found this entry:
> 
> type=AVC msg=audit(1434769414.956:562): avc:  denied  { open } for 
> pid=3558 comm="ruby" 
> path="/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.mydomain.com.crt"
>
> 
dev="vda1" ino=1842005 scontext=system_u:system_r:passenger_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=file
> 
> And audit2allow told me this:
> 
> #grep puppet /var/log/audit/audit.log | audit2allow -M puppet 
> ******************** IMPORTANT *********************** To make this
> policy package active, execute:
> 
> semodule -i puppet.pp
> 
> But in installing the module I get an error I've never seen
> before:
> 
> #semodule -i puppet.pp libsepol.print_missing_requirements:
> foreman's global requirements were not met: type/attribute
> puppet_var_lib_t (No such file or directory). 
> libsemanage.semanage_link_sandbox: Link packages failed (No such
> file or directory). semodule:  Failed!
> 
> I will say that I'm getting much better at working through SELinux
> issues. I've come a long way from when I was taught by a senior
> admin I was working with to 'always disable selinux' to now making
> an effort to work through the issues.
> 
> So I was hoping to get some advice on how to get over this hurdle!
> 
> Thanks, Tim
> 

Hi,

Can you give details about your puppetmasterd setup ? it seems that
you're using Foreman as puppet ENC.
Foreman works fine with selinux enabled : that's what we use for the
centos.org infra :-)
Which version of puppet/foreman are you using ? Note that foreman has
the foreman-selinux package that is used to automatically tune
contexts and booleans needed for this.
You can still reapply those settings with
/usr/sbin/foreman-selinux-{disable,enable,relabel}
There is no need to recompile a custom selinux policy for
foreman/puppet those days


- -- 

Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlWFZQIACgkQnVkHo1a+xU41pgCfSnUrzbPJNZntNBgSbJf8tygm
JbYAn3D/rV/7INYf/uHYXOvP85bq32RL
=SDlY
-----END PGP SIGNATURE-----