Bug 1386181

Summary: Puppet 4 AIO Packages aren't supported by the targeted selinux policy
Product: Red Hat Enterprise Linux 6 Reporter: Lukas Pramuk <lpramuk>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: dapospis, dwalsh, lpramuk, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, stbenjam, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-307.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1369938 Environment:
Last Closed: 2017-03-21 09:48:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1369938    
Bug Blocks:    

Comment 1 Lukas Pramuk 2016-10-18 11:12:14 UTC 
Cloned #1369938 for RHEL6
Comment 4 Miroslav Grepl 2016-10-20 08:36:38 UTC 
Ok I don't think the same fix will work on RHEL-6. 

Could you re-test and attach SELinux issues on RHEL-6?

Thank you.
Comment 5 Lukas Pramuk 2016-10-20 08:51:31 UTC 
I assumed the same fix will be ok, based on fact that both rhel6 and 7 has the same output for this command: 

# semanage fcontext -l |grep puppet_etc
/etc/puppet(/.*)?                                  all files          system_u:object_r:puppet_etc_t:s0

And if rhel7.3 is adding 
/etc/puppetlabs(/.*)?                              all files          system_u:object_r:puppet_etc_t:s0

Then adding the same on rhel6 would fix it.
Simply put we need to extend puppet_etc_t type to include /etc/puppetlabs(/.*)? (Puppet4), which happened already on rhel73.
Comment 14 Lukas Vrabec 2016-12-14 14:32:52 UTC 
Milos,
Agree with you. I back port labels.
Comment 18 Milos Malik 2016-12-15 10:49:03 UTC 
The automated TC does not generate any USER_AVCs when executed on a machine where puppet 2.7 is installed. The same automated TC generates following USER_AVC when executed on a machine where puppet 3.8 is installed:

----
type=USER_AVC msg=audit(12/15/2016 11:43:13.837:374) : user pid=2232 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.33 spid=52620 tpid=65026 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:system_r:puppet_t:s0 tclass=dbus  exe=/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

In both cases NetworkManager must be running.
Comment 20 errata-xmlrpc 2017-03-21 09:48:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html