Description of problem: The error occured during the installation of the foreman-installer from theforeman.org (Version 1.2 from the F19 Repo) SELinux is preventing /usr/sbin/httpd from 'getattr' accesses on the directory /etc/puppet/rack/public. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass es httpd standardmässig erlaubt sein sollte, getattr Zugriff auf public directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:puppet_etc_t:s0 Target Objects /etc/puppet/rack/public [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unbekannt> Host (removed) Source RPM Packages httpd-2.4.6-2.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-73.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-09-04 11:27:21 CEST Last Seen 2013-09-04 11:27:21 CEST Local ID d44fe969-e7ff-4677-b85f-e2e55db58cb2 Raw Audit Messages type=AVC msg=audit(1378286841.594:3175): avc: denied { getattr } for pid=24947 comm="httpd" path="/etc/puppet/rack/public" dev="dm-1" ino=6032413 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1378286841.594:3175): arch=x86_64 syscall=stat success=yes exit=0 a0=7f8168bbcc58 a1=7fffc3975220 a2=7fffc3975220 a3=7f8166d274b0 items=0 ppid=24943 pid=24947 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,puppet_etc_t,dir,getattr Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport
Steps to reproduce: Follow the installation guidelines @ http://theforeman.org/manuals/1.2/index.html#2.1Installation Follow these steps (as root): yum -y install puppet yum -y install http://yum.theforeman.org/releases/1.2/f19/x86_64/foreman-release.rpm yum -y install foreman-installer ruby /usr/share/foreman-installer/generate_answers.rb answer all questions with "y" result: apache does not get started, the script reports: Error: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Error: /Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: Notice: /Stage[main]/Apache::Service/Exec[reload-apache]: Dependency Service[httpd] has failures: true Warning: /Stage[main]/Apache::Service/Exec[reload-apache]: Skipping because of failed dependencies Notice: Finished catalog run in 42.24 seconds SELinux generates the above report for this error. I'm not sure if this is a problem in SELinux policy or should puppet invoke httpd in a different way?
Does the apache server actually need to read /etc/puppet/rack/public
It's the document root for the puppet master, so I'd say: yes :) But this is all just info from the docs, so I may be entirely wrong! What's weird: I tried to configure an exception for SELinux via: grep httpd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp But I still can't start the httpd service.
Well if it is happening in permissive mode, then you probably have a different problem unrelated to SELinux.
I guess I'm affected by bug: https://bugzilla.redhat.com/show_bug.cgi?id=848939 But I'm not quite, sure for now. So maybe this is a duplicate or a dependency. I will do some testing on this.
Well that bug is talking about passenger.