SELinux denials for Puppet/Passenger (passenger_t)

Solution Unverified - Updated 2 Aug 2024

Environment

Red Hat Satellite v 6
Puppet Enterprise or Puppet that was not shipped with Satellite 6

Issue

Satellite 6 Capsule (integrated/external) issues SELinux denials for passenger_t or puppet_t domains when synchronizing, promoting or consuming Puppet Manifests.

/var/log/audit/audit.log:type=AVC msg=audit(1452072575.832:235842): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/MtStrmCommandResponseMessageQueue" dev="tmpfs" ino=23361 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file

Resolution

SELinux policies are tuned and tested with Puppet version that ships in Satellite 6 repositories. Any other Puppet release won't work and therefore SELinux must be turned off for particular resources. In this case, it's Puppet Master process:

semanage permissive -a passenger_t

Note : On the master node, the command will essentially also turn off SELinux for Satellite6 UI (Foreman) , currently there is no clever way of turning just Puppet Master policy unfortunately.

Root Cause

SELinux policy that ships in Red Hat Enteprirse Linux and Satellite 6 extensions for Puppet Master and Passenger are only compatible with paritucular versions of Puppet which is shipped in Satellite 6 repositories.

Diagnostic Steps

SELinux denials when working with Puppet Master.
With Selinux in enforcing mode check if below denail messages are seen in the audit logs,

[root@xxx ~]# grep "type=AVC" in /var/log/audit/audit.log
grep: in: No such file or directory
/var/log/audit/audit.log:type=AVC msg=audit(1452072575.832:235842): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/MtStrmCommandResponseMessageQueue" dev="tmpfs" ino=23361 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file
/var/log/audit/audit.log:type=AVC msg=audit(1452072575.837:235843): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/MtStrmCommandRequestMessageQueue" dev="tmpfs" ino=23360 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file
/var/log/audit/audit.log:type=AVC msg=audit(1452072575.837:235844): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/sem.MtstrmRequestMutexName" dev="tmpfs" ino=23359 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file
/var/log/audit/audit.log:type=AVC msg=audit(1452076936.759:236573): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/MtStrmCommandResponseMessageQueue" dev="tmpfs" ino=23361 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file
/var/log/audit/audit.log:type=AVC msg=audit(1452076936.759:236574): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/MtStrmCommandRequestMessageQueue" dev="tmpfs" ino=23360 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file
/var/log/audit/audit.log:type=AVC msg=audit(1452076936.759:236575): avc:  denied  { getattr } for  pid=21547 comm="systemd-logind" path="/dev/shm/sem.MtstrmRequestMutexName" dev="tmpfs" ino=23359 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:initrc_state_t:s0 tclass=file

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

policy

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.