Description of problem: type=PROCTITLE msg=audit(11/27/2019 09:26:29.654:7887) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml certmonger_ca type=SYSCALL msg=audit(11/27/2019 09:26:29.654:7887) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x63cde8 a1=0x7ffd10abada0 a2=0x7ffd10abada0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12093 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/27/2019 09:26:29.654:7887) : avc: denied { search } for pid=12093 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/27/2019 09:26:29.719:7888) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml container_cli docker type=SYSCALL msg=audit(11/27/2019 09:26:29.719:7888) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x2550d88 a1=0x7ffffa5c96f0 a2=0x7ffffa5c96f0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12095 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/27/2019 09:26:29.719:7888) : avc: denied { search } for pid=12095 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/27/2019 09:26:29.787:7889) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::certificate_dir type=SYSCALL msg=audit(11/27/2019 09:26:29.787:7889) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xf18d90 a1=0x7ffc8b7255c0 a2=0x7ffc8b7255c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12097 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/27/2019 09:26:29.787:7889) : avc: denied { search } for pid=12097 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/27/2019 09:26:29.853:7890) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::certmonger::haproxy_dirs::key_dir type=SYSCALL msg=audit(11/27/2019 09:26:29.853:7890) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0xb48df0 a1=0x7ffe08af6430 a2=0x7ffe08af6430 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12099 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/27/2019 09:26:29.853:7890) : avc: denied { search } for pid=12099 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 ---- type=PROCTITLE msg=audit(11/27/2019 09:26:29.919:7891) : proctitle=ruby /usr/bin/hiera -c /etc/puppet/hiera.yaml tripleo::haproxy::service_certificate type=SYSCALL msg=audit(11/27/2019 09:26:29.919:7891) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x1548df0 a1=0x7fff5cf3e5c0 a2=0x7fff5cf3e5c0 a3=0xfffffffffffff35e items=0 ppid=12092 pid=12101 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ruby exe=/usr/bin/ruby subj=system_u:system_r:certmonger_t:s0 key=(null) type=AVC msg=audit(11/27/2019 09:26:29.919:7891) : avc: denied { search } for pid=12101 comm=ruby name=puppet dev="sda1" ino=62925411 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_etc_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): openstack-selinux-0.8.20-0.20191125094339.a4fcc2c.el7.noarch How reproducible: Always Steps to Reproduce: 1. Deploy osp-16 undercloud|director with internal CA 2. Check /var/log/audit/audit.log 3. Actual results: We get a bunch of denials related to certmonger and puppet Expected results: No AVC Additional info: The following parameters are set in the undercloud.conf, in the DEFAULT section: generate_service_certificate = True certificate_generation_ca = local The provided output is generated using `cat /var/log/audit/audit.log | ausearch -i | less' and searching for "denied" string. We might want to allow certmonger_t to manage file patterns on puppet_etc_t ? Not really sure of the potential implications.
ok, since it's read-only, we can use the nice read_file_pattern (and add the "search" for directories). Providing a PR shortly.
Hello Julie, Would you be able to verify this one? It wouldn't make much sense if I verify it, would it? :) Thanks! C.
I don't have the resources to check on a working environment, but I can do a sanity check and also have confidence based on the testing we did at the time. Verified using openstack-selinux-0.8.20-0.20191220123532.2f2c423.el8ost.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283