On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
Hello,
I have an Enterprise Linux 6 machine, managed by Puppet, enforcing the
target policy, for which Puppet manages a bunch of contexts and
policies, but the following message occurs when it attempts to do so:
type=AVC msg=audit(1330511088.080:1757): avc: denied { write }
for pid=9222 comm="semanage" path="/tmp/puppet20120229-8297-bjmcbp-0"
dev=dm-0 ino=1572875
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
Could you attach full AVC message. I am interested in "syscall" and
"success" fields.
It looks like a leak file descriptor.
The following is a reference to what Puppet is trying to do:
http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
In short, I'm installing custom built mailman packages so that I can
have devel@project1 alongside devel@project2 mailing lists by
installing dedicated mailman instances for project1 and project2. The
Puppet module I'm referring to attempts to apply the necessary SELinux
contexts to the files deployed with each RPM package.
I'm wondering what is causing the denial (or, why semanage needs
something in /tmp/ with the name of puppet in it) as well as what to
do about it - it doesn't seem to be blocking Puppet from achieving the
goal of adding new file_contexts for these custom packages.
Kind regards,
Jeroen van Meeuwen
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
