Wrong SELinux type for wsgi.py, settings.py

[op-ct]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.18
• Ruby: 2.5.8p224
• Distribution: Rocky 8
• Module version:

How to reproduce (e.g Puppet code you use)

  package{'python38':
    provider    => dnfmodule,
    ensure      => present,
    enable_only => true,
  }
  ->
  class { 'puppetboard':
    python_version      => '3.8',
    offline_mode        => true,
    manage_virtualenv   => true,
    manage_selinux      => true,
    default_environment => '*',
    puppetdb_host       => '127.0.0.1',
    puppetdb_port       => 8138,
  }

  class { 'apache':
    default_vhost => false,
  }

  class { 'puppetboard::apache::vhost':
    vhost_name => $puppetboard_server,
    port       => 80,
  }

What are you seeing

When SELinux is enforcing and manage_selinux => true:

• apache returns "Permission denied".
• ausearch -m avc -i -ts recent shows AVC errors Permission denied error from Puppetboard on the files /srv/puppetboard/puppetboard/settings.py and /srv/puppetboard/puppetboard/wsgi.py

Manually running chcon -t httpd_sys_script_exec_t /srv/puppetboard/puppetboard/settings.py /srv/puppetboard/puppetboard/wsgi.py fixes the issue until Puppet runs again.

What behaviour did you expect instead

The puppetboard module's classes should set all required SELinux contexts when manage_selinux => true

Output log

Any additional information you'd like to impart

I don't know if the httpd_sys_script_exec_t context is universal; perhaps there should be some way to specify the SELinux context for these files.