Actions
Bug #8507
closed
Policy prevents puppetmaster reading puppet modules via symlinks
Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Description
Staypuft team use symlinks and this does not work:
[root@staypuft modules]# ls -la
total 8
drwxr-xr-x. 3 root root 4096 24. lis 14.24 .
drwxr-xr-x. 4 root root 36 24. lis 09.30 ..
lrwxrwxrwx. 1 root root 42 24. lis 14.24 apache -> /usr/share/openstack-puppet/modules/apache
lrwxrwxrwx. 1 root root 46 24. lis 14.24 ceilometer -> /usr/share/openstack-puppet/modules/ceilometer
lrwxrwxrwx. 1 root root 46 24. lis 14.24 certmonger -> /usr/share/openstack-puppet/modules/certmonger
lrwxrwxrwx. 1 root root 42 24. lis 14.24 cinder -> /usr/share/openstack-puppet/modules/cinder
lrwxrwxrwx. 1 root root 42 24. lis 14.24 common -> /usr/share/openstack-puppet/modules/common
lrwxrwxrwx. 1 root root 42 24. lis 14.24 concat -> /usr/share/openstack-puppet/modules/concat
lrwxrwxrwx. 1 root root 44 24. lis 14.24 firewall -> /usr/share/openstack-puppet/modules/firewall
drwxr-xr-x. 7 root root 4096 24. lis 09.31 foreman
----
time->Mon Nov 24 18:40:30 2014
type=SYSCALL msg=audit(1416872430.209:4574): arch=c000003e syscall=4 success=yes exit=0 a0=7f64c8800f70 a1=7f64cf5b9f90 a2=7f64cf5b9f90 a3=8b9cf0 items=0 ppid=1 pid=15006 auid=4294967295 uid=52 gid=52 euid=52 su
id=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1416872430.209:4574): avc: denied { getattr } for pid=15006 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-1" ino=17229624 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:ob
ject_r:iptables_exec_t:s0 tclass=file
----
time->Mon Nov 24 18:40:29 2014
type=SYSCALL msg=audit(1416872429.298:4573): arch=c000003e syscall=6 success=yes exit=0 a0=7f64c870fc50 a1=7f64cf5ba4a0 a2=7f64cf5ba4a0 a3=7f64c870fc80 items=0 ppid=1 pid=15006 auid=4294967295 uid=52 gid=52 euid
=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1416872429.298:4573): avc: denied { getattr } for pid=15006 comm="ruby" path="/etc/puppet/environments/production/modules/module-data" dev="dm-1" ino=2676404 scontext=system_u:system_r:pass
enger_t:s0 tcontext=unconfined_u:object_r:puppet_etc_t:s0 tclass=lnk_file
----
time->Mon Nov 24 18:40:30 2014
type=SYSCALL msg=audit(1416872430.209:4575): arch=c000003e syscall=21 success=yes exit=0 a0=7f64c8800f70 a1=1 a2=7f64cf5b9f90 a3=8b9cf0 items=0 ppid=1 pid=15006 auid=4294967295 uid=52 gid=52 euid=52 suid=52 fsui
d=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="ruby" exe="/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1416872430.209:4575): avc: denied { execute } for pid=15006 comm="ruby" name="xtables-multi" dev="dm-1" ino=17229624 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:ipt
ables_exec_t:s0 tclass=file
----
time->Mon Nov 24 18:40:30 2014
type=SYSCALL msg=audit(1416872430.210:4576): arch=c000003e syscall=59 success=yes exit=0 a0=2d54c28 a1=7f64c815bb98 a2=7f64c81cbaf0 a3=7f64cf5ba0c0 items=0 ppid=15002 pid=15498 auid=4294967295 uid=52 gid=52 euid
=52 suid=52 fsuid=52 egid=52 sgid=52 fsgid=52 tty=(none) ses=4294967295 comm="iptables" exe="/usr/sbin/xtables-multi" subj=system_u:system_r:passenger_t:s0 key=(null)
type=AVC msg=audit(1416872430.210:4576): avc: denied { execute_no_trans } for pid=15498 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-1" ino=17229624 scontext=system_u:system_r:passenger_t:s0 tcontext=sy
stem_u:object_r:iptables_exec_t:s0 tclass=file
type=AVC msg=audit(1416872430.210:4576): avc: denied { read open } for pid=15498 comm="ruby" path="/usr/sbin/xtables-multi" dev="dm-1" ino=17229624 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=file
----
Updated by Lukas Zapletal over 9 years ago
- Status changed from New to Rejected
This needs to be fixed in puppet policy in RHEL.
Actions