[Puppet Dashboard - Bug #7069] (Unreviewed) Dashboard's default port blocked by default SELinux policy

Tue, 12 Apr 2011 09:40:37 -0700 

Issue #7069 has been reported by Scott Merrill.

----------------------------------------
Bug #7069: Dashboard's default port blocked by default SELinux policy
https://projects.puppetlabs.com/issues/7069

Author: Scott Merrill
Status: Unreviewed
Priority: Normal
Assignee: 
Category: 
Target version: 
Keywords: dashboard selinux policy
Branch: 
Affected URL: 
Affected Dashboard version: 1.0.4


Trying to run Dashboard on a Red Hat Enterprise Linux 6 server with SELinux 
enabled does not work. The audit log records the following:
    type=AVC msg=audit(1302621346.304:218642): avc:  denied  { name_connect } 
for  pid=27169 comm="puppetmasterd" dest=3000 
scontext=system_u:system_r:puppetmaster_t:s0 
tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket

TCP port 3000 is assigned to ntop, and the default SELinux policy has a rule 
for the use of that port:
    # semanage port -l | grep 3000
    ntop_port_t                    tcp      3000, 3001
    ntop_port_t                    udp      3000, 3001

I haven't yet found a simple semanage command that will permit the 
puppetmasterd user to access the ntop port. An semanage command would be one 
possible easy fix.

Running audit2allow suggests (among other things) the following local policy:
    #============= puppetmaster_t ==============
    allow puppetmaster_t ntop_port_t:tcp_socket name_connect;

This requires the construction and compilation of a complete SELinux policy 
module, though, which seems a little excessive just to get Dashboard running.

Defining a different port for DASHBOARD_PORT in /etc/sysconfig/puppet-dashboard 
does permit the dashboard to start properly, with no SELinux complaints.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to