Bug 1369938
| Summary: | Puppet 4 AIO Packages aren't supported by the targeted selinux policy | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Stephen Benjamin <stbenjam> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.2 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, redhat, ssekidde, tlavigne | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-97.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1386181 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 02:37:50 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1386181 | |||
We need to add proper label for /etc/puppetlabs/code/environments. Is this a RHEL-7.3 material? Version is set to 7.4. Based on BZ tooltip, the version field defines the version of the software the bug was found in. It was found in 7.2. It would be great if it can make 7.3, in time for Satellite 6.3 release which will need this. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: Puppet has significantly restructured their packaging to be an all-in-one RPM shipping puppet, puppet server, and facter. We will likely include these with Satellite 6.3. /etc/puppetlabs does not get the puppet_etc_t context (which comes from selinux-policy-targeted), so applications which previously granted access to this context no longer work. For example, in Satellite 6 pulp's selinux policy grants access to puppet_etc_t to publish, which previously was /etc/puppet/modules/environments, however this has been move to /etc/puppetlabs/code/environments, resulting in this denial: type=AVC msg=audit(1472066646.325:1365): avc: denied { write } for pid=28236 comm="celery" name="environments" dev="vda3" ino=268419 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Additional info: https://docs.puppet.com/puppet/4.0/reference/whered_it_go.html