Puppet 3 troubles on F19

Miroslav Grepl mgrepl at redhat.com
Tue Jul 30 06:56:39 UTC 2013 

On 07/30/2013 07:10 AM, Robin Lee Powell wrote:
> So I just upgraded to F19, which means I get Puppet 3 (yay!).
>
> I'm running with unconfined disabled.
>
> Unfortunately, it looks like the policy hasn't been updated for
> puppet in quite a while.  For example, from
> serefpolicy-contrib-3.12.1/puppet.fc (which I got from
> selinux-policy-3.12.1-66.fc19.src.rpm  ) I see:
>
>    /etc/rc\.d/init\.d/puppet       --      gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
>    /etc/rc\.d/init\.d/puppetmaster --      gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
>    
>    /usr/sbin/puppetca      --      gen_context(system_u:object_r:puppetca_exec_t,s0)
>    /usr/sbin/puppetd       --      gen_context(system_u:object_r:puppet_exec_t,s0)
>    /usr/sbin/puppetmasterd --      gen_context(system_u:object_r:puppetmaster_exec_t,s0)
>
> Not a one of those files exists anymore.
>
> This means that things go quite poorly.  For example, "sudo
> systemctl restart puppetmaster.service" gets me:
>
>    type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { open } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
>    type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { read } for  pid=28302 comm=ruby-mri name=ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
>    ----
>    type=AVC msg=audit(07/29/2013 22:07:49.780:2300369) : avc:  denied  { ioctl } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
>    ----
>    type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { create } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=file
>    type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { add_name } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=dir
>    ----
>    type=SOCKADDR msg=audit(07/29/2013 22:07:49.982:2300371) : saddr=inet host:0.0.0.0 serv:8140
>    type=AVC msg=audit(07/29/2013 22:07:49.982:2300371) : avc:  denied  { name_bind } for  pid=28307 comm=ruby-mri src=8140 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
>
> because it's running as initrc_t instead of puppetmaster_t:
>
>    system_u:system_r:initrc_t:s0   puppet   28307  0.0  0.5 309556 43464 ?        Ssl  22:07   0:00 /usr/bin/ruby-mri /usr/bin/puppet master
>
> My knowledge of puppet is considerable, but my selinux is only
> decent.  In particular, the Right Thing here is for the systemd
> launch of puppetmaster to put things into the right context, but
> I've no idea how to accomplish that.
>
> Is there someone I can work with to fix up this policy?
>
> -Robin
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Could you please open a new bug with updated paths.

Thank you.

More information about the selinux mailing list