Description of problem: /etc/puppetlabs/puppet/node.rb requires to be labeled with foreman_enc_t (the same as is /etc/puppet/node.rb) Puppet3 labels: # bzcat /etc/selinux/targeted/active/modules/400/foreman/cil | grep /etc/puppet (filecon "/etc/puppet/node.rb" any (system_u object_r foreman_enc_t ((s0) (s0)))) Puppet4 node.rb: # ll -Z `find /etc/puppetlabs/ -name node.rb` -r-xr-x---. puppet puppet system_u:object_r:puppet_etc_t:s0 /etc/puppetlabs/puppet/node.rb Version-Release number of selected component (if applicable): @satellite-6.3.0-6.1.beta.el7sat.noarch foreman-selinux-1.13.1-1.el7.noarch Steps to Reproduce: ll -Z /etc/puppetlabs/puppet/node.rb Actual results: puppet_etc_t Expected results: foreman_enc_t
Workaround: # semanage fcontext -a -t foreman_enc_t '/etc(/puppetlabs)?/puppet/node.rb'
Thanks, fixed!
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17460 has been resolved.
VERIFIED. @satellite-6.3.0-16.0.beta.el7sat.noarch puppetserver-2.7.2-2.el7sat.noarch puppet-agent-1.8.2-2.el7sat.x86_64 foreman-selinux-1.15.2-1.el7sat.noarch by simple reproducer on both upgraded and fresh p4 install: # ll -Z /etc/puppetlabs/puppet/node.rb -r-xr-x---. puppet puppet system_u:object_r:foreman_enc_t:s0 /etc/puppetlabs/puppet/node.rb >>> puppet4 enc has the correct selinux label (foreman_enc_t)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336