puppet-dashboard with SELinux enforced

[Sans]

Dear all,

Can anyone please tell me why Ruby on Rails application is not starting, when SELinux is on. This is the errors reporting on the browser:

The application has exited during startup (i.e. during the evaluation of config/environment.rb). The error message can be found below. To solve this problem, please follow any instructions in the error message.

Error message:
Rails Error: Unable to access log file. Please ensure that /usr/share/puppet-dashboard/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed. Database isn't the current migration version: expected 20120112195235, got 0 You must either run 'rake db:migrate' or set environmental variable NO_MIGRATION_CHECK

Any idea what am I doing wrong? Cheers!!

[Brian Gupta]

I've run into permission errors like this if apparmor is enabled, and not configured for the app I am trying to run. http://en.wikipedia.org/wiki/AppArmor

I'm guessing you need to tell selinux that /usr/share/puppet-dashboard/* is a valid path. (Never used selinux, but my understanding is that apparmor and selinux have similarities.) 

-Brian

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/qXoLkbcvsy8J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

--

[Sans]

Thanks Brian!
I'm still trying to find out how to make it work, with no such joy so far. Anyone from PuppetLab care to comment?

Cheers!!

-Brian

To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

--

[Iain Sutton]

If you're running puppet as a daemon with selinux in enforcing mode, I think you may need to run:

setsebool puppetmaster_use_db on

In the current state and presuming that the audit daemon is running, /var/log/audit/audit.log should be reporting which aspect of selinux is preventing the access request.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/pSNLov7u4-4J.

To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

[Sans]

Thanks nseagoon! But that didn't help. I already did that. And I'm still trying to understand the audit log.
Does any one have any other suggestion(s) for me? Cheers!!

[Romeo Theriault]

On Tue, May 29, 2012 at 1:39 PM, Sans <r.sant...@gmail.com> wrote:
>
> Thanks nseagoon! But that didn't help. I already did that. And I'm still
> trying to understand the audit log.
> Does any one have any other suggestion(s) for me? Cheers!!

It may be useful for you to install the 'setroubleshoot' package
(that's what it's called on RHEL anyway). This allows you to run
commands like this:

audit2why -a /var/log/messages
audit2allow -a /var/log/messages

or

audit2why -a /var/log/audit/audit.log
audit2allow -a /var/log/audit/audit.log

to see what selinux settings you may have to change to allow Dashboard
to run. Likely, you'll have to create a custom selinux policy to allow
it to run properly. I found this page helpful on creating custom
policies:

http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html

Good luck!

Romeo

>>>>> puppet-users...@googlegroups.com.

>>>>> For more options, visit this group at
>>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>

>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msg/puppet-users/-/pSNLov7u4-4J.
>>> To post to this group, send email to puppet...@googlegroups.com.
>>> To unsubscribe from this group, send email to

>>> puppet-users...@googlegroups.com.

>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
> --

> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/puppet-users/-/uoo-ZBRn-v8J.

>
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to

> puppet-users...@googlegroups.com.

> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.




--

Romeo