Puppet 3 troubles on F19
Miroslav Grepl
mgrepl at redhat.com
Tue Jul 30 06:56:39 UTC 2013
On 07/30/2013 07:10 AM, Robin Lee Powell wrote:
> So I just upgraded to F19, which means I get Puppet 3 (yay!).
>
> I'm running with unconfined disabled.
>
> Unfortunately, it looks like the policy hasn't been updated for
> puppet in quite a while. For example, from
> serefpolicy-contrib-3.12.1/puppet.fc (which I got from
> selinux-policy-3.12.1-66.fc19.src.rpm ) I see:
>
> /etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
>
> /usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
> /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
> /usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>
> Not a one of those files exists anymore.
>
> This means that things go quite poorly. For example, "sudo
> systemctl restart puppetmaster.service" gets me:
>
> type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc: denied { open } for pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
> type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc: denied { read } for pid=28302 comm=ruby-mri name=ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
> ----
> type=AVC msg=audit(07/29/2013 22:07:49.780:2300369) : avc: denied { ioctl } for pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
> ----
> type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc: denied { create } for pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=file
> type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc: denied { add_name } for pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=dir
> ----
> type=SOCKADDR msg=audit(07/29/2013 22:07:49.982:2300371) : saddr=inet host:0.0.0.0 serv:8140
> type=AVC msg=audit(07/29/2013 22:07:49.982:2300371) : avc: denied { name_bind } for pid=28307 comm=ruby-mri src=8140 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
>
> because it's running as initrc_t instead of puppetmaster_t:
>
> system_u:system_r:initrc_t:s0 puppet 28307 0.0 0.5 309556 43464 ? Ssl 22:07 0:00 /usr/bin/ruby-mri /usr/bin/puppet master
>
> My knowledge of puppet is considerable, but my selinux is only
> decent. In particular, the Right Thing here is for the systemd
> launch of puppetmaster to put things into the right context, but
> I've no idea how to accomplish that.
>
> Is there someone I can work with to fix up this policy?
>
> -Robin
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you please open a new bug with updated paths.
Thank you.
More information about the selinux
mailing list