Puppet SELinux denials, anyone else seeing this
Jonathan Underwood
jonathan.underwood at gmail.com
Mon Aug 22 15:45:42 UTC 2011
On 22 August 2011 16:41, Erinn Looney-Triggs
<erinn.looneytriggs at gmail.com> wrote:
> Just wondered if anyone else was running into issues with puppetmaster
> and SELinux:
>
> rpm -q puppet-server
> puppet-server-2.6.6-1.el6.noarch
Yep, I had to generate a local puppet module to get this puppet
package working on el6:
module puppetlocal 1.0;
require {
type puppetmaster_t;
type puppet_var_lib_t;
type cobblerd_t;
type httpd_sys_content_t;
type node_t;
type sysfs_t;
type port_t;
type cert_t;
class dir { remove_name search };
class udp_socket { name_bind node_bind };
class file { create setattr };
}
#============= cobblerd_t ==============
#!!!! This avc is allowed in the current policy
allow cobblerd_t cert_t:dir search;
#!!!! This avc is allowed in the current policy
allow cobblerd_t httpd_sys_content_t:dir remove_name;
#!!!! This avc is allowed in the current policy
allow cobblerd_t httpd_sys_content_t:file { create setattr };
#!!!! This avc is allowed in the current policy
allow cobblerd_t puppet_var_lib_t:dir search;
#!!!! This avc is allowed in the current policy
allow cobblerd_t sysfs_t:dir search;
#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;
More information about the epel-devel
mailing list