Puppet 3 troubles on F19

Robin Lee Powell rlpowell at digitalkingdom.org
Tue Jul 30 05:10:53 UTC 2013 

So I just upgraded to F19, which means I get Puppet 3 (yay!).

I'm running with unconfined disabled.

Unfortunately, it looks like the policy hasn't been updated for
puppet in quite a while.  For example, from
serefpolicy-contrib-3.12.1/puppet.fc (which I got from
selinux-policy-3.12.1-66.fc19.src.rpm  ) I see:

  /etc/rc\.d/init\.d/puppet       --      gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/puppetmaster --      gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
  
  /usr/sbin/puppetca      --      gen_context(system_u:object_r:puppetca_exec_t,s0)
  /usr/sbin/puppetd       --      gen_context(system_u:object_r:puppet_exec_t,s0)
  /usr/sbin/puppetmasterd --      gen_context(system_u:object_r:puppetmaster_exec_t,s0)

Not a one of those files exists anymore.

This means that things go quite poorly.  For example, "sudo
systemctl restart puppetmaster.service" gets me:

  type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { open } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
  type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { read } for  pid=28302 comm=ruby-mri name=ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
  ----
  type=AVC msg=audit(07/29/2013 22:07:49.780:2300369) : avc:  denied  { ioctl } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
  ----
  type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { create } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=file
  type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { add_name } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=dir
  ----
  type=SOCKADDR msg=audit(07/29/2013 22:07:49.982:2300371) : saddr=inet host:0.0.0.0 serv:8140
  type=AVC msg=audit(07/29/2013 22:07:49.982:2300371) : avc:  denied  { name_bind } for  pid=28307 comm=ruby-mri src=8140 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

because it's running as initrc_t instead of puppetmaster_t:

  system_u:system_r:initrc_t:s0   puppet   28307  0.0  0.5 309556 43464 ?        Ssl  22:07   0:00 /usr/bin/ruby-mri /usr/bin/puppet master

My knowledge of puppet is considerable, but my selinux is only
decent.  In particular, the Right Thing here is for the systemd
launch of puppetmaster to put things into the right context, but
I've no idea how to accomplish that.

Is there someone I can work with to fix up this policy?

-Robin

More information about the selinux mailing list