puppet files denied by SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hey folks,

 Ok so I'm having another issue with SELinux. However I think I'm pretty
close to a solution and just need a nudge in the right directtion.

I wrote a puppet module that gets systems into bacula backups. Part of the
formula is to distribute key/cert pairs with permissions that allow bacula
to read them so that bacula can talk to the host over TLS. It's pretty
slick, I must say!

However on adding some new hosts to bacula backups via puppet, I noticed
that I was getting permission denied errors on the keypairs on the client
hosts.

In my audit logs I found this entry:

type=AVC msg=audit(1434769414.956:562): avc:  denied  { open } for
 pid=3558 comm="ruby"
path="/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.mydomain.com.crt"
dev="vda1" ino=1842005 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file

And audit2allow told me this:

#grep puppet /var/log/audit/audit.log | audit2allow -M puppet
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i puppet.pp

But in installing the module I get an error I've never seen before:

#semodule -i puppet.pp
libsepol.print_missing_requirements: foreman's global requirements were not
met: type/attribute puppet_var_lib_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!

I will say that I'm getting much better at working through SELinux issues.
I've come a long way from when I was taught by a senior admin I was working
with to 'always disable selinux' to now making an effort to work through
the issues.

So I was hoping to get some advice on how to get over this hurdle!

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux