Bug 968986 - Puppet has selinux issues during katello-configure
Puppet has selinux issues during katello-configure
Product: Red Hat Satellite 6
Classification: Red Hat
Component: SELinux (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified (vote)
: Unspecified
: --
Assigned To: Miroslav Suchý
Sachin Ghai
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-05-30 08:21 EDT by Miroslav Suchý
Modified: 2013-07-18 17:19 EDT (History)
5 users (show)

See Also:
Fixed In Version: libselinux-2.0.94-5.5-sat puppet-3.1.1-17-sat
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-18 17:19:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Miroslav Suchý 2013-05-30 08:21:34 EDT
Description of problem:
Puppet prints selinux related errors during katello-configure.

This is because there is no selinux module under ruby193 SCL.
Comment 1 Og Maciel 2013-05-30 09:55:32 EDT
Out of curiosity, is this what you were seeing (yum install)?

  Installing : ruby193-puppet-3.1.1-16.el6sat.noarch                    261/307 
error reading information on service puppet: No such file or directory
Comment 2 Miroslav Suchý 2013-05-30 10:59:46 EDT
Nope Og.

The issue was described by Garik as:
Whoever recently (this nightly) made some changes to the katello installer process and made the files under:
/etc/candlepin/certs/ as: unconfined_u:object_r:candlepin_etc_certs_rw_t:s0

please review or (my suggestion) bring back to: system_u:object_r:candlepin_etc_certs_ca_cert_r_t:s0

Coz apache just refuses to start blaming:
Starting httpd: Syntax error on line 15 of /etc/httpd/conf.d/katello.conf:
SSLCertificateFile: file '/etc/candlepin/certs/candlepin-ca.crt' does not exist or is empty
Comment 3 Brad Buckingham 2013-05-30 14:37:49 EDT
Aside from requiring the newer builds of libselinux and puppet, are there any changes we need to katello-configure..etc?   Thanks!
Comment 4 Miroslav Suchý 2013-05-31 04:57:15 EDT
No. There is no additional change needed.
Comment 5 Brad Buckingham 2013-06-06 17:59:02 EDT
Mass move to ON_QA
Comment 6 Sachin Ghai 2013-06-07 05:44:46 EDT
Verified this with following build:

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.8.9-1.el6_4.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.9-1.el6_4.noarch
* candlepin-tomcat6-0.8.9-1.el6_4.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* foreman-1.1.10004-1.noarch
* foreman-installer-puppet-concat-0-2.d776701.git.0.21ef926.el6sat.noarch
* foreman-installer-puppet-dhcp-0-5.3a4a13c.el6sat.noarch
* foreman-installer-puppet-dns-0-7.fcae203.el6sat.noarch
* foreman-installer-puppet-foreman-0-6.568c5c4.el6sat.noarch
* foreman-installer-puppet-foreman_proxy-0-8.bd1e35d.el6sat.noarch
* foreman-installer-puppet-puppet-0-3.ab46748.el6sat.noarch
* foreman-installer-puppet-tftp-0-5.ea6c5e5.el6sat.noarch
* foreman-installer-puppet-xinetd-0-50a267b8.git.0.44aca6a.el6sat.noarch
* foreman-postgresql-1.1.10004-1.noarch
* foreman-proxy-1.1.10003-1.el6sat.noarch
* foreman-proxy-installer-1.0.1-8.f5ae2cd.el6sat.noarch
* katello-1.4.2-10.el6sat.noarch
* katello-all-1.4.2-10.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.2-7.el6sat.noarch
* katello-cli-common-1.4.2-7.el6sat.noarch
* katello-common-1.4.2-10.el6sat.noarch
* katello-configure-1.4.3-14.el6sat.noarch
* katello-configure-foreman-1.4.3-14.el6sat.noarch
* katello-foreman-all-1.4.2-10.el6sat.noarch
* katello-glue-candlepin-1.4.2-10.el6sat.noarch
* katello-glue-elasticsearch-1.4.2-10.el6sat.noarch
* katello-glue-pulp-1.4.2-10.el6sat.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.4.3-3.el6sat.noarch
* openldap-2.4.23-31.el6.x86_64
* pulp-rpm-plugins-2.1.1-1.el6sat.noarch
* pulp-selinux-2.1.1-1.el6sat.noarch
* pulp-server-2.1.1-1.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-ldap_fluff-0.2.2-1.el6sat.noarch
* ruby193-rubygem-net-ldap-0.3.1-2.el6sat.noarch
* signo-0.0.16-1.el6sat.noarch
* signo-katello-0.0.16-1.el6sat.noarch

No selinux error while running katello-configure.

And selinux context is correctly set as mentioned in comment2 for /etc/candlepin/certs

[root@dhcp201-181 certs]# ls -lZ
-rw-r--r--. root katello system_u:object_r:candlepin_etc_certs_ca_cert_r_t:s0 candlepin-ca.crt
-rw-r-----. root katello system_u:object_r:candlepin_etc_certs_ca_cert_r_t:s0 candlepin-ca.key
drwxr-xr-x. root root    system_u:object_r:candlepin_etc_certs_rw_t:s0 upstream
[root@dhcp201-181 certs]# pwd
Comment 7 Mike McCune 2013-07-18 17:19:13 EDT
mass move to CLOSED:CURRENTRELEASE since MDP1 has been released.

Note You need to log in before you can comment on or make changes to this bug.