Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add proper SELinux context and setup appropriate booleans #405

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

d1nuc0m
Copy link
Contributor

@d1nuc0m d1nuc0m commented Apr 5, 2024

Pull Request (PR) description

This should fix issues with SELinux and allow usage in enforcing mode. It works, but as I am not a SELinux expert, permissions for puppetboard and venv files should be reviewed to check if something is missing/permissions should be more restrictive.

Another issue is best practice for certificate path in single node mode - with SELinux enforcing mode Puppetboard can't read files with context puppet_etc_t (and it should be like this) . In my environment I fixed with this snippet

file {
  default:
    require => Class['puppet'],
    notify  => Service['httpd'],
    ;
  '/etc/pki/tls/certs/puppet_server_ca.pem':
    mode   => '0644',
    source => 'file:///etc/puppetlabs/puppet/ssl/certs/ca.pem',
    ;
  '/etc/pki/tls/certs/puppet_server_cert.pem':
    mode   => '0644',
    source => "file:///etc/puppetlabs/puppet/ssl/certs/${networking['fqdn']}.pem",
    ;
  '/etc/pki/tls/private/puppet_server_key.pem':
    owner  => 'puppetboard',
    mode   => '0400',
    source => "file:///etc/puppetlabs/puppet/ssl/private_keys/${networking['fqdn']}.pem",
    ;
}

But probably it is not the best solution, so where should certificates go? /etc/puppetboard/ssl?

This Pull Request (PR) fixes the following issues

Fixes #336
Fixes #365

@bastelfreak bastelfreak added the bug Something isn't working label May 13, 2024
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 15, 2024

Checks fails because CI can't find PostgreSQL 11 packages in the repositories and PuppetDB install fails, this is due to puppetlabs/puppetlabs-puppetdb#379 and puppetlabs/puppetlabs-puppetdb#396 because the failed checks installed puppetlabs-puppetdb v7.14.0

@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 15, 2024

#388 allowed python 7.x module, this uses a more recent stdlib, so using latest puppetdb module should be possible

@bastelfreak
Copy link
Member

@d1nuc0m please rebase against our latest master branch to get rid of the python version commit.

@d1nuc0m d1nuc0m force-pushed the fix-selinux branch 2 times, most recently from 7cfa4fe to 2e9877f Compare May 21, 2024 07:46
    * Add puppet/selinux to dependencies
    * Set SELinux context for files in ${basedir}/puppetboard, if virtualenv is managed, set context for it too
    * Enable httpd_enable_cgi SELinux boolean to allow WSGI execution

Fixes: voxpupuli#336, voxpupuli#365
@d1nuc0m
Copy link
Contributor Author

d1nuc0m commented May 21, 2024

Done, with a bit of tinkering as I also needed to edit metadata.json to add SELinux module.

Regarding tests (IRC), what could/should I add?

@bastelfreak

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Wrong SELinux type for wsgi.py, settings.py puppetboard has no explicit SELinux context for httpd
3 participants