search

theforeman / foreman-fapolicyd

GNU General Public License v3.0
0 stars 1 forks source link

Puppetserver fails #7

Closed ehelms closed 10 months ago

ehelms commented 11 months ago

Failure during install and configuration of Puppet:

rule=8 dec=deny_audit perm=open auid=-1 pid=6630 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/tmp/jffi5936621269686588285.so ftype=application/x-sharedlib trust=0
rule=8 dec=deny_audit perm=open auid=-1 pid=6630 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/tmp/jffi5936621269686588285.so ftype=application/x-sharedlib trust=0
rule=8 dec=deny_audit perm=open auid=-1 pid=6630 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/tmp/jffi5936621269686588285.so ftype=application/x-sharedlib trust=0
rule=16 dec=deny_audit perm=open auid=-1 pid=6630 exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.382.b05-2.el8.x86_64/jre/bin/java : path=/tmp/jruby-6630/jruby5926005100837765424psych.jar ftype=application/java-archive trust=0

Options:

  1. PrivateTmp=True on the systemd service but that is packaged and not under our control
  2. Add rules for tmp just for the Java process (tricky due to the changing name of the Java path)
ekohl commented 10 months ago

PrivateTmp=True on the systemd service but that is packaged and not under our control

https://github.com/puppetlabs/ezbake/pull/623

evgeni commented 10 months ago

https://github.com/theforeman/puppet-puppet/pull/892 is the temporary workaround for this.

evgeni commented 10 months ago

https://github.com/theforeman/puppet-puppet/pull/892 got merged and I could run Foreman, Plugins and Katello pipelines just fine, which contain Puppet, so I am going to close this one as completed.