-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/29/2012 07:06 AM, Jeroen van Meeuwen (Kolab Systems) wrote:
> On 2012-02-29 14:00, Miroslav Grepl wrote:
>> On 02/29/2012 10:32 AM, Jeroen van Meeuwen (Kolab Systems)
>> wrote:
>>> Hello,
>>>
>>> I have an Enterprise Linux 6 machine, managed by Puppet,
>>> enforcing the target policy, for which Puppet manages a bunch
>>> of contexts and policies, but the following message occurs when
>>> it attempts to do so:
>>>
>>> type=AVC msg=audit(1330511088.080:1757): avc: denied { write
>>> } for pid=9222 comm="semanage"
>>> path="/tmp/puppet20120229-8297-bjmcbp-0" dev=dm-0 ino=1572875
>>> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
>>
>> Could you attach full AVC message. I am interested in "syscall"
>> and "success" fields.
>>
>> It looks like a leak file descriptor.
>>
>
> I believe this is everything, but if not, please point me in the
> right direction:
>
> type=AVC msg=audit(1330454003.144:529): avc: denied { write } for
> pid=16025 comm="semanage"
> path="/tmp/puppet20120228-15545-zg7uoe-0" dev=dm-0 ino=1572875
> scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
> type=SYSCALL msg=audit(1330454003.144:529): arch=c000003e
> syscall=59 success=yes exit=0 a0=1007110 a1=1007c90 a2=1006c00
> a3=7fff5e096620 items=0 ppid=16022 pid=16025 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2
> comm="semanage" exe="/usr/bin/python"
> subj=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
> key=(null)
>
> Thanks,
>
>>>
>>> The following is a reference to what Puppet is trying to do:
>>>
>>>
>>> http://git.puppetmanaged.org/?p=mail;a=blob;f=manifests/init.pp;h=2b25c58d1ee68c9391344e8ebebe5493a2bbeb11;hb=fc1a6a3814e01d6b521472b26fce6f35273c1e49#l98
>>>
>>>
>>>
>>>
In short, I'm installing custom built mailman packages so that I can
>>> have devel@project1 alongside devel@project2 mailing lists by
>>> installing dedicated mailman instances for project1 and
>>> project2. The Puppet module I'm referring to attempts to apply
>>> the necessary SELinux contexts to the files deployed with each
>>> RPM package.
>>>
>>> I'm wondering what is causing the denial (or, why semanage
>>> needs something in /tmp/ with the name of puppet in it) as well
>>> as what to do about it - it doesn't seem to be blocking Puppet
>>> from achieving the goal of adding new file_contexts for these
>>> custom packages.
>>>
>>> Kind regards,
>>>
>>> Jeroen van Meeuwen
>>>
>
> Kind regards,
>
> Jeroen van Meeuwen
>
Puppet is creating a log file in /tmp that it is then handing to
semanage as its stdout. SELinux is blocking the tools ability to
write to stdout and SELinux is just replaceing the /tmp file with
/dev/null. So semanage is succeeding but an ugly AVC is created.
Miroslav we probably should go through policy and allow domains to
write to inherited user_tmp_t files. Which would solve the puppet
problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9ORZwACgkQrlYvE4MpobPPXACfXWSLKsmYS7HLYpo3bVj8teTs
ibEAoMfUtlZNYSSMOHa8g33G7BSL3TGE
=LKgB
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
