Hide Forgot
Cloned #1369938 for RHEL6
Ok I don't think the same fix will work on RHEL-6. Could you re-test and attach SELinux issues on RHEL-6? Thank you.
I assumed the same fix will be ok, based on fact that both rhel6 and 7 has the same output for this command: # semanage fcontext -l |grep puppet_etc /etc/puppet(/.*)? all files system_u:object_r:puppet_etc_t:s0 And if rhel7.3 is adding /etc/puppetlabs(/.*)? all files system_u:object_r:puppet_etc_t:s0 Then adding the same on rhel6 would fix it. Simply put we need to extend puppet_etc_t type to include /etc/puppetlabs(/.*)? (Puppet4), which happened already on rhel73.
Milos, Agree with you. I back port labels.
The automated TC does not generate any USER_AVCs when executed on a machine where puppet 2.7 is installed. The same automated TC generates following USER_AVC when executed on a machine where puppet 3.8 is installed: ---- type=USER_AVC msg=audit(12/15/2016 11:43:13.837:374) : user pid=2232 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.33 spid=52620 tpid=65026 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:system_r:puppet_t:s0 tclass=dbus exe=/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' ---- In both cases NetworkManager must be running.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html