Issue #7069 has been updated by Scott Merrill.
Actually, simply running on a different port is not sufficient to get Dashboard
to work on a system with SELinux enforced.
I'm also seeing these in the audit log:
type=AVC msg=audit(1302639566.630:219929): avc: denied { name_connect }
for pid=27169 comm="puppetmasterd" dest=3000
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
The full audit2allow output for Puppet is:
#============= puppetmaster_t ==============
allow puppetmaster_t cert_t:dir search;
allow puppetmaster_t cert_t:file { read getattr open };
allow puppetmaster_t cert_t:lnk_file read;
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t ntop_port_t:tcp_socket name_connect;
allow puppetmaster_t port_t:udp_socket name_bind;
allow puppetmaster_t samba_var_t:dir search;
allow puppetmaster_t winbind_t:unix_stream_socket connectto;
allow puppetmaster_t winbind_var_run_t:dir { getattr search };
allow puppetmaster_t winbind_var_run_t:sock_file { write getattr };
----------------------------------------
Bug #7069: Dashboard's default port blocked by default SELinux policy
https://projects.puppetlabs.com/issues/7069
Author: Scott Merrill
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Keywords: dashboard selinux policy
Branch:
Affected URL:
Affected Dashboard version: 1.0.4
Trying to run Dashboard on a Red Hat Enterprise Linux 6 server with SELinux
enabled does not work. The audit log records the following:
type=AVC msg=audit(1302621346.304:218642): avc: denied { name_connect }
for pid=27169 comm="puppetmasterd" dest=3000
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
TCP port 3000 is assigned to ntop, and the default SELinux policy has a rule
for the use of that port:
# semanage port -l | grep 3000
ntop_port_t tcp 3000, 3001
ntop_port_t udp 3000, 3001
I haven't yet found a simple semanage command that will permit the
puppetmasterd user to access the ntop port. An semanage command would be one
possible easy fix.
Running audit2allow suggests (among other things) the following local policy:
#============= puppetmaster_t ==============
allow puppetmaster_t ntop_port_t:tcp_socket name_connect;
This requires the construction and compilation of a complete SELinux policy
module, though, which seems a little excessive just to get Dashboard running.
Defining a different port for DASHBOARD_PORT in /etc/sysconfig/puppet-dashboard
does permit the dashboard to start properly, with no SELinux complaints.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
