The fix to this does not belong in pulp. Sat6, given its specific use case and configuration of pulp, should add this to its selinux policy. For pulp to solve this, we would have to: 1) require the puppet-server package, so that /etc/puppet/environments/ exists. We do not currently require this package. 2) modify the filesystem permissions of /etc/puppet/environments/ 3) change the selinux policy on /etc/puppet/environments/ Changing the filesystem permissions and selinux policy on a directory owned by another package is not something pulp's package should do by default anyway. More importantly, we would be allowing the apache user to have full write access to the /etc/puppet/environments/ folder, which is not a sane default. The security implications are huge. Allowing a user to opt-in to this *if* they want to use our puppet install distributor is reasonable. Introducing this major degradation of security by default for all users of pulp is not reasonable. From our documentation at http://pulp-puppet-dev-guide.readthedocs.org/en/latest/plugin_conf.html#install-distributor: "It is the user’s responsibility to ensure that Pulp can write to this directory." Thoughts?
Michael, there is no requirement you need those directories to be created, or puppet-server to be present on the system at all. Puppet policy is in the core selinux policy in both RHEL6+ and Fedoras, therefore you can build on this safely without any dependency introduced. It's actually other way around - katello-selinux has no pulp-selinux dependency on the packaging level and we would need to introduce one (if we want to create rules for pulp selinux types). By default, all files in /etc/pulp are labeled as puppet_etc_t, therefore what we expect is you folks to create a rule that allows writing/reading on this file context. For the security implications you described and because you run under Apache2 httpd domain (which must be very well hardened for sure), the best would be to create optional selinux boolean something like pulp_write_puppet or httpd_write_puppet_etc that would be turned off by default for pulp, but Satellite 6 would enable this flag. This is standard SELinux practice which is used everywhere, including http daemon (e.g. man httpd_selinux for examples). Please reevaluate this once again, thanks.
That's an interesting suggestion, and I can see value in having such a boolean provided by pulp. However, it doesn't solve the need to change filesystem permissions on /etc/puppet/environments. I'll query the team. If we need this fast, I'm not sure we have anyone available on the pulp team with the selinux familiarity to do this quickly.
Michael, I was not aware that there are permissions involved. I thought it's only SELinux preventing from writing there. We will need to make sure pulp/httpd can write to that directory. And this is our task for sure, we actually create the environments directory ourselves (puppet defaults just to /etc/puppet). But for SELinux, this is all about types and domains, paths do not matter. Thanks for taking this in the team.
https://github.com/pulp/pulp/pull/1020
Fixed in 2.4.0-0.23.beta.
[root@cloud-qe-19 ~]# getenforce Enforcing [root@cloud-qe-19 ~]# [root@qe-blade-14 ~]# pulp-admin node sync run --node-id node1 This command may be exited via ctrl+c without affecting the request. (1/2) Repository: puppet-repo [==================================================] 100% (2/2) Repository: zoo [==================================================] 100% Synchronization succeeded +----------------------------------------------------------------------+ Child Node Synchronization +----------------------------------------------------------------------+ Repository: Action: Merged Content Sources: Downloads: Source Id: Parent Node Total Failed: 0 Total Succeeded: 43 Total Passes: 1 Total Sources: 0 Id: puppet-repo Units: Added: 43 Removed: 0 Updated: 0 Repository: Action: Merged Content Sources: Downloads: Source Id: Parent Node Total Failed: 0 Total Succeeded: 32 Total Passes: 1 Total Sources: 0 Id: zoo Units: Added: 39 Removed: 0 Updated: 0 [root@qe-blade-14 ~]#
This has been fixed in Pulp 2.4.0-1.