Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong SELinux type for wsgi.py, settings.py #365

Open
op-ct opened this issue Jul 27, 2022 · 0 comments · May be fixed by #405
Open

Wrong SELinux type for wsgi.py, settings.py #365

op-ct opened this issue Jul 27, 2022 · 0 comments · May be fixed by #405

Comments

@op-ct
Copy link

op-ct commented Jul 27, 2022

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 6.18
  • Ruby: 2.5.8p224
  • Distribution: Rocky 8
  • Module version:

How to reproduce (e.g Puppet code you use)

  package{'python38':
    provider    => dnfmodule,
    ensure      => present,
    enable_only => true,
  }
  ->
  class { 'puppetboard':
    python_version      => '3.8',
    offline_mode        => true,
    manage_virtualenv   => true,
    manage_selinux      => true,
    default_environment => '*',
    puppetdb_host       => '127.0.0.1',
    puppetdb_port       => 8138,
  }

  class { 'apache':
    default_vhost => false,
  }

  class { 'puppetboard::apache::vhost':
    vhost_name => $puppetboard_server,
    port       => 80,
  }

What are you seeing

When SELinux is enforcing and manage_selinux => true:

  • apache returns "Permission denied".
  • ausearch -m avc -i -ts recent shows AVC errors Permission denied error from Puppetboard on the files /srv/puppetboard/puppetboard/settings.py and /srv/puppetboard/puppetboard/wsgi.py

Manually running chcon -t httpd_sys_script_exec_t /srv/puppetboard/puppetboard/settings.py /srv/puppetboard/puppetboard/wsgi.py fixes the issue until Puppet runs again.

What behaviour did you expect instead

The puppetboard module's classes should set all required SELinux contexts when manage_selinux => true

Output log

image

Any additional information you'd like to impart

I don't know if the httpd_sys_script_exec_t context is universal; perhaps there should be some way to specify the SELinux context for these files.
d1nuc0m pushed a commit to d1nuc0m/puppet-puppetboard that referenced this issue Apr 4, 2024
fix: add proper SELinux context and enable httpd_enable_cgi
d593ea8 
* Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
* Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
d1nuc0m added a commit to d1nuc0m/puppet-puppetboard that referenced this issue Apr 5, 2024
@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
0f1352c 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
d1nuc0m added a commit to d1nuc0m/puppet-puppetboard that referenced this issue Apr 5, 2024
@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
d821494 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
@d1nuc0m d1nuc0m linked a pull request Apr 5, 2024 that will close this issue
Open
d1nuc0m added a commit to d1nuc0m/puppet-puppetboard that referenced this issue May 13, 2024
@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
3846e91 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
d1nuc0m added a commit to d1nuc0m/puppet-puppetboard that referenced this issue May 21, 2024
@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
2e9877f 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
d1nuc0m added a commit to d1nuc0m/puppet-puppetboard that referenced this issue May 21, 2024
@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
b7e6fca 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add proper SELinux context and setup appropriate booleans d1nuc0m/puppet-puppetboard
1 participant
@op-ct