Bug 1393506

Summary: Puppet4: /etc/puppetlabs/puppet/node.rb requires to be labeled with foreman_enc_t
Product: Red Hat Satellite Reporter: Lukas Pramuk <lpramuk>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3.0CC: bbuckingham, ehelms
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/17460
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-21 16:49:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Pramuk 2016-11-09 17:32:43 UTC 
Description of problem:
/etc/puppetlabs/puppet/node.rb requires to be labeled with foreman_enc_t
(the same as is /etc/puppet/node.rb)

Puppet3 labels:
# bzcat /etc/selinux/targeted/active/modules/400/foreman/cil | grep /etc/puppet
(filecon "/etc/puppet/node.rb" any (system_u object_r foreman_enc_t ((s0) (s0))))

Puppet4 node.rb:
# ll -Z `find /etc/puppetlabs/ -name node.rb`
-r-xr-x---. puppet puppet system_u:object_r:puppet_etc_t:s0 /etc/puppetlabs/puppet/node.rb


Version-Release number of selected component (if applicable):
@satellite-6.3.0-6.1.beta.el7sat.noarch
foreman-selinux-1.13.1-1.el7.noarch


Steps to Reproduce:
ll -Z /etc/puppetlabs/puppet/node.rb

Actual results:
puppet_etc_t

Expected results:
foreman_enc_t
Comment 1 Lukas Pramuk 2016-11-09 17:42:11 UTC 
Workaround:

# semanage fcontext -a -t foreman_enc_t '/etc(/puppetlabs)?/puppet/node.rb'
Comment 3 Lukas Zapletal 2016-11-23 11:31:31 UTC 
Thanks, fixed!
Comment 4 Bryan Kearney 2016-11-25 15:15:34 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17460 has been resolved.
Comment 5 Lukas Pramuk 2017-08-10 20:26:24 UTC 
VERIFIED.

@satellite-6.3.0-16.0.beta.el7sat.noarch
puppetserver-2.7.2-2.el7sat.noarch
puppet-agent-1.8.2-2.el7sat.x86_64
foreman-selinux-1.15.2-1.el7sat.noarch

by simple reproducer on both upgraded and fresh p4 install:

# ll -Z /etc/puppetlabs/puppet/node.rb 
-r-xr-x---. puppet puppet system_u:object_r:foreman_enc_t:s0 /etc/puppetlabs/puppet/node.rb

>>> puppet4 enc has the correct selinux label (foreman_enc_t)
Comment 6 Satellite Program 2018-02-21 16:49:54 UTC 
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336