Skip to content

Add proper SELinux context and setup appropriate booleans #405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
d1nuc0m wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add proper SELinux context and setup appropriate booleans #405

d1nuc0m wants to merge 1 commit into from

Conversation

@d1nuc0m
Copy link
Contributor

@d1nuc0m d1nuc0m commented Apr 5, 2024

Pull Request (PR) description

This should fix issues with SELinux and allow usage in enforcing mode. It works, but as I am not a SELinux expert, permissions for puppetboard and venv files should be reviewed to check if something is missing/permissions should be more restrictive.

Another issue is best practice for certificate path in single node mode - with SELinux enforcing mode Puppetboard can't read files with context puppet_etc_t (and it should be like this) . In my environment I fixed with this snippet

file {
  default:
    require => Class['puppet'],
    notify  => Service['httpd'],
    ;
  '/etc/pki/tls/certs/puppet_server_ca.pem':
    mode   => '0644',
    source => 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem',
    ;
  '/etc/pki/tls/certs/puppet_server_cert.pem':
    mode   => '0644',
    source => "file:///etc/puppetlabs/puppet/ssl/certs/${networking['fqdn']}.pem",
    ;
  '/etc/pki/tls/private/puppet_server_key.pem':
    owner  => 'puppetboard',
    mode   => '0400',
    source => "file:///etc/puppetlabs/puppet/ssl/private_keys/${networking['fqdn']}.pem",
    ;
}

But probably it is not the best solution, so where should certificates go? /etc/puppetboard/ssl?

This Pull Request (PR) fixes the following issues

Fixes #336
Fixes #365

@bastelfreak bastelfreak added the bug Something isn't working label May 13, 2024
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 15, 2024

Checks fails because CI can't find PostgreSQL 11 packages in the repositories and PuppetDB install fails, this is due to puppetlabs/puppetlabs-puppetdb#379 and puppetlabs/puppetlabs-puppetdb#396 because the failed checks installed puppetlabs-puppetdb v7.14.0

@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 15, 2024

#388 allowed python 7.x module, this uses a more recent stdlib, so using latest puppetdb module should be possible

@bastelfreak
Copy link
Member

bastelfreak commented May 15, 2024

@d1nuc0m please rebase against our latest master branch to get rid of the python version commit.

@d1nuc0m d1nuc0m force-pushed the fix-selinux branch 3 times, most recently from 2e9877f to b7e6fca Compare May 21, 2024 07:55
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 21, 2024
edited
Loading

Done, with a bit of tinkering as I also needed to edit metadata.json to add SELinux module.

Regarding tests (IRC), what could/should I add?

@bastelfreak

@d1nuc0m d1nuc0m force-pushed the fix-selinux branch 8 times, most recently from 9adbe51 to 9e22859 Compare September 16, 2025 12:58
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented Sep 16, 2025

Update: everything should be labelled correctly now

@paran1
Copy link

paran1 commented Nov 28, 2025

I ran into the same issue, this patch looks correct.

I did not have time to test with the fully patched module, but copied the selinux manifest code from here, excluding the booleans already set by the original code. This fixed my puppetboard, thanks!

Looks like this needs another rebase as it lowers the allowed python module?

@paran1
Copy link

paran1 commented Nov 28, 2025

This fixed my puppetboard, thanks!

I should have included my versions.
This fixes selinux issues for me on RockyLinux 9.6, OpenVox 8.23.1, puppet-puppetboard 11.0.0

@d1nuc0m
fix: add proper SELinux context and enable httpd_enable_cgi
6c6ff74 
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented Dec 4, 2025

Tests fail due to puppetdb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Wrong SELinux type for wsgi.py, settings.py puppetboard has no explicit SELinux context for httpd

4 participants

@d1nuc0m @bastelfreak @paran1 @TheMeier