Re: Puppet 3 troubles on F19

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/30/2013 07:10 AM, Robin Lee Powell wrote:

So I just upgraded to F19, which means I get Puppet 3 (yay!).

I'm running with unconfined disabled.

Unfortunately, it looks like the policy hasn't been updated for
puppet in quite a while.  For example, from
serefpolicy-contrib-3.12.1/puppet.fc (which I got from
selinux-policy-3.12.1-66.fc19.src.rpm  ) I see:

   /etc/rc\.d/init\.d/puppet       --      gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
   /etc/rc\.d/init\.d/puppetmaster --      gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0) 
   /usr/sbin/puppetd       --      gen_context(system_u:object_r:puppet_exec_t,s0)
   /usr/sbin/puppetmasterd --      gen_context(system_u:object_r:puppetmaster_exec_t,s0)

Not a one of those files exists anymore.

This means that things go quite poorly.  For example, "sudo
systemctl restart puppetmaster.service" gets me:

   type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { open } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
   type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc:  denied  { read } for  pid=28302 comm=ruby-mri name=ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
   ----
   type=AVC msg=audit(07/29/2013 22:07:49.780:2300369) : avc:  denied  { ioctl } for  pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
   ----
   type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { create } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=file
   type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc:  denied  { add_name } for  pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=dir
   ----
   type=SOCKADDR msg=audit(07/29/2013 22:07:49.982:2300371) : saddr=inet host:0.0.0.0 serv:8140
   type=AVC msg=audit(07/29/2013 22:07:49.982:2300371) : avc:  denied  { name_bind } for  pid=28307 comm=ruby-mri src=8140 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket

because it's running as initrc_t instead of puppetmaster_t:

   system_u:system_r:initrc_t:s0   puppet   28307  0.0  0.5 309556 43464 ?        Ssl  22:07   0:00 /usr/bin/ruby-mri /usr/bin/puppet master

My knowledge of puppet is considerable, but my selinux is only
decent.  In particular, the Right Thing here is for the systemd
launch of puppetmaster to put things into the right context, but
I've no idea how to accomplish that.

Is there someone I can work with to fix up this policy?

-Robin

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

Could you please open a new bug with updated paths.

Thank you.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux