Description of problem: In enforcing mode, the puppet installed by capsule-installer is not working properly, returning: The requested method PUT is not allowed for the URL /production/report</p> when running `puppet agent --test` on the very same system Works fine in permissive mode Steps to Reproduce: 1. install capsule with puppet/puppetca feature on separate masine in enforcing mode 2. run `puppet agent --test` Actual results: Error messages Expected results: No error messages about PUT not being allowed and the system showing up in the list of Foreman hosts
Info for PMs: Due to changes that needs to be done in selinux-core puppet policy, backporting into RHEL6 and changes on the foreman-selinux side, we need few months for this to happen. Beta is not possible (we need a workaround for this). If we want the proper fix in GA, it's good to start after Beta is out so we have some time for errata to come into RHEL6. The upstream issue is here: http://projects.theforeman.org/issues/2820 - we would like to implement this by splitting passenger policy into two separate ones, which will allow us to run puppet master under it's own domain and the same for foreman. This will need some time for community testing as it's quite big refactoring. This unpleseant state roots from the fact that older passengers were not able to provide better selinux support (wrapper binaries).
Oh the issue was wrong, this one is the one: http://projects.theforeman.org/issues/6316
I am unlinking the upstream issue - refactoring is not possible since it is too late. It will be done as a separate upstream effort. With latest snap and build I don't see any problems, except the following harmless denial which is a file handler leak in puppet (we will mask this denial for Satellite 6.1): time->Wed Aug 27 09:15:56 2014 type=SYSCALL msg=audit(1409145356.680:172): arch=c000003e syscall=59 success=yes exit=0 a0=3366d00 a1=16d4d30 a2=0 a3=12 items=0 ppid=4708 pid=4725 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="load_policy" exe="/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file type=AVC msg=audit(1409145356.680:172): avc: denied { write } for pid=4725 comm="load_policy" path="/tmp/puppet20140827-4300-1q7kni7-0" dev=vda1 ino=263067 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file foreman-selinux-1.6.0.9-1.el6sat.noarch Putting this to ON_QA. If this fails verification, please provide: getenforce semodule -l | grep foreman ps axuwZ ausearch -m AVC -m USER_AVC foreman-selinux-relabel -nv
This bug is not actually duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1127284 (Various AVC denials during Capsule installation). *** This bug has been marked as a duplicate of bug 1127284 ***