Local Puppet Module Store and SELinux

Jason_B_Nance · August 19, 2016, 6:36pm

Hello,

In the documentation on Importing Puppet Modules [from Git] here:

http://www.katello.org/docs/3.1/user_guide/puppet_integration/

…one of the examples shows how to use pulp-puppet-module-builder to create a local repository of modules that can then be imported (file:///path). The example includes creating a "/modules" directory on the local filesystem. However, the Celery process doesn't have access to read most locations by default (SELinux).

My workaround was to set my location's (/srv/puppet-modules) context to system_u:object_r:httpd_sys_content_t:s0.

I originally attempted to use celery_t, but SELinux wouldn't allow that.

Is there a better context for this?

Regards,

j

lzap · August 22, 2016, 11:40am

> Is there a better context for this?

I don't think so. Folks at pulp-list might know better.

The policy lives here, make a pick yourself:

github.com

pulp/pulp/blob/master/server/selinux/server/pulp-celery.te

# When built from RPM, the below version of "0.0.0" will be
# replaced with the version in the spec file
policy_module(pulp-celery, 0.0.0)
type celery_t;
type celery_exec_t;
init_daemon_domain(celery_t, celery_exec_t)

type pulp_var_cache_t;
files_type(pulp_var_cache_t)

type pulp_var_run_t;
files_pid_file(pulp_var_run_t)

type pulp_tmp_t;
files_tmp_file(pulp_tmp_t)

require {
        type celery_t;
        type httpd_sys_rw_content_t;
        type pstore_t;

This file has been truncated. show original

···

-- Later, Lukas #lzap Zapletal