Description of problem: When syncing puppet repos to a node, puppet repositories will fail to publish properly to /etc/puppet/environments. The following error will be seen in /var/log/pulp/pulp.log: 2013-10-17 16:06:53,905 pulp.server.managers.repo.publish:INFO: publish failed for repo [Katello_Infrastructure-Dev_Env-PublishedRHEL6Composite64-Puppet_Labs_Forge-Forge] with distributor ID [Katello_Infrastructure-Dev_Env-PublishedRHEL6Composite64-Puppet_Labs_Forge-Forge] How reproducible: Always Steps to Reproduce: 1. Deploy a node and ensure selinux is enabled 2. Associate the node to an environment with a content view that contains a puppet repo 3. Sync the node Actual results: Error (see above) Expected results: On the node /etc/puppet/environments/ should be populated with the puppet repo from the content view Additional info: For me, running restorecon did not seem to fix the problem
I would move this to MDP3, as there is already known bug on puppetmaster deployment not working on selinux for now, see https://bugzilla.redhat.com/show_bug.cgi?id=1009964
Justin, it's because /etc/puppet is under puppet_etc_t context and not etc_t. This needs to be fixed in pulp-selinux package. Please add AVC denials if you can. I dont see "Pulp" component, do we clone bugs into upstream project or what?
Pulp team evaluates possibilities. Putting on hold.
I am unable to reproduce on satellite6 node, pulp works fine with our selinux policy. Trying out with capsule w/ puppetmaster.
While I am still working on capsule reproducer, it looks like passenger on capsule is running under httpd_t domain. Puppet policy in RHEL6 for puppetmaster is not perfect and for Foreman we carry some fixes in foreman-selinux. But on capsule/proxy we can't install foreman-selinux (due to foreman dependency). We have selinux policy breakup and smart proxy policy implementation on our TODO list, but we can't do this for beta. We will likely see errors on the puppetmaster side (passenger process, httpd_t selinux domain). There are two workarounds this: 1) permissive 2) put httpd into unconfimed mode
Ready for testing: https://github.com/pulp/pulp/pull/1020
Rel eng: The fix consists of two patches: 1) One for pulp selinux policy: https://github.com/pulp/pulp/pull/1020 2) One for katello installer: https://github.com/Katello/puppet-pulp/pull/20
All patches merged, ready for downstream.
Oh there is the third patch required, I had to update katello-installer: 3) https://github.com/Katello/katello-installer/pull/77 So disregard number (2) and only apply (1) and (3). I hope it's clear, if not, ping me :-) Sorry about that.
Pushing to 6.0.4 for testing.
Verified in Satellite-6.0.4-RHEL-7-20140829.0
This was delivered with Satellite 6.0 which was released on 10 September 2014.