Foreman 1.3 and Fedora 18/19 (SELinux)

Hey,

I noticed that 1.3 version (and develop as well) is not starting up
properly due to passenger/puppetmaster issues and SELinux.

The workaround is to turn SELinux off or add extra audit rules manually.

[root@hp-dl585g5-01 foreman]# grep AVC /var/log/audit/audit.log | audit2allow

#============= httpd_t ==============
allow httpd_t puppet_etc_t:dir { search getattr };

#!!! This avc can be allowed using the boolean
'httpd_can_network_connect'
allow httpd_t puppet_port_t:tcp_socket name_connect;

#============= passenger_t ==============
allow passenger_t init_t:unix_stream_socket { getattr ioctl };

[root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger foreman
selinux-policy-3.12.1-74.4.fc19.noarch
mod_passenger-3.0.21-4.fc19.x86_64
foreman-1.3.0-0.2.RC2.fc19.noarch

Please report if you are able to reproduce.

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman

After some investigation today, I filed the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1012426

We want our SELinux team to start improving Puppet policy. It is a
little bit messy at the moment.

LZ

··· On Thu, Sep 26, 2013 at 12:02:31PM +0200, Lukas Zapletal wrote: > Hey, > > I noticed that 1.3 version (and develop as well) is not starting up > properly due to passenger/puppetmaster issues and SELinux. > > The workaround is to turn SELinux off or add extra audit rules manually. > > [root@hp-dl585g5-01 foreman]# grep AVC /var/log/audit/audit.log | audit2allow > > #============= httpd_t ============== > allow httpd_t puppet_etc_t:dir { search getattr }; > > #!!!! This avc can be allowed using the boolean > 'httpd_can_network_connect' > allow httpd_t puppet_port_t:tcp_socket name_connect; > > #============= passenger_t ============== > allow passenger_t init_t:unix_stream_socket { getattr ioctl }; > > [root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger foreman > selinux-policy-3.12.1-74.4.fc19.noarch > mod_passenger-3.0.21-4.fc19.x86_64 > foreman-1.3.0-0.2.RC2.fc19.noarch > > Please report if you are able to reproduce. > > -- > Later, > > Lukas "lzap" Zapletal > irc: lzap #theforeman > > -- > You received this message because you are subscribed to the Google Groups "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out.


Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman