Bug 1020912
| Summary: | Puppet modules fail to deploy on a node due to selinux | |||
|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Justin Sherrill <jsherril> | |
| Component: | SELinux | Assignee: | Lukas Zapletal <lzap> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Corey Welton <cwelton> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 6.0.2 | CC: | cwelton, jmontleo, mmccune | |
| Target Milestone: | Unspecified | Keywords: | Triaged | |
| Target Release: | Unused | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| URL: | http://projects.theforeman.org/issues/6360 | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1110814 (view as bug list) | Environment: | ||
| Last Closed: | 2014-09-11 12:28:00 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1110814 | |||
|
Description
Justin Sherrill
2013-10-18 13:54:42 UTC
I would move this to MDP3, as there is already known bug on puppetmaster deployment not working on selinux for now, see https://bugzilla.redhat.com/show_bug.cgi?id=1009964 Justin, it's because /etc/puppet is under puppet_etc_t context and not etc_t. This needs to be fixed in pulp-selinux package. Please add AVC denials if you can. I dont see "Pulp" component, do we clone bugs into upstream project or what? Pulp team evaluates possibilities. Putting on hold. I am unable to reproduce on satellite6 node, pulp works fine with our selinux policy. Trying out with capsule w/ puppetmaster. While I am still working on capsule reproducer, it looks like passenger on capsule is running under httpd_t domain. Puppet policy in RHEL6 for puppetmaster is not perfect and for Foreman we carry some fixes in foreman-selinux. But on capsule/proxy we can't install foreman-selinux (due to foreman dependency). We have selinux policy breakup and smart proxy policy implementation on our TODO list, but we can't do this for beta. We will likely see errors on the puppetmaster side (passenger process, httpd_t selinux domain). There are two workarounds this: 1) permissive 2) put httpd into unconfimed mode Ready for testing: https://github.com/pulp/pulp/pull/1020 Rel eng: The fix consists of two patches: 1) One for pulp selinux policy: https://github.com/pulp/pulp/pull/1020 2) One for katello installer: https://github.com/Katello/puppet-pulp/pull/20 All patches merged, ready for downstream. Oh there is the third patch required, I had to update katello-installer: 3) https://github.com/Katello/katello-installer/pull/77 So disregard number (2) and only apply (1) and (3). I hope it's clear, if not, ping me :-) Sorry about that. Pushing to 6.0.4 for testing. Verified in Satellite-6.0.4-RHEL-7-20140829.0 This was delivered with Satellite 6.0 which was released on 10 September 2014. |