FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > EPEL Development

 
 
LinkBack Thread Tools
 
Old 08-22-2011, 03:41 PM
Erinn Looney-Triggs
 
Default Puppet SELinux denials, anyone else seeing this

Just wondered if anyone else was running into issues with puppetmaster
and SELinux:

rpm -q puppet-server
puppet-server-2.6.6-1.el6.noarch

sudo service puppetmaster restart
Stopping puppetmaster:
Starting puppetmaster:
puppetmasterd/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:101:in
`register_xmlrpc': uninitialized constant Puppet::Network::Handler
(NameError)
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:100:in
`each'
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:100:in
`register_xmlrpc'
from /usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:68:in
`initialize'
from
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:104:in `new'
from
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:104:in `main'
from
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:46:in `run_command'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:304:in `run'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:410:in
`exit_on_fail'
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:304:in `run'
from /usr/sbin/puppetmasterd:4

And then a slew of SELinux errors:
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.587:15661): item=1
name=(null) inode=1 dev=00:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_ubject_r:sysfs_t:s0
node=example.com type=PATH msg=audit(1314027487.587:15661): item=0
name="./sys/admin.rb"
node=example.com type=CWD msg=audit(1314027487.587:15661): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.587:15661):
arch=c000003e syscall=4 success=no exit=-13 a0=7fdbe8bbb780
a1=7fffadb95820 a2=7fffadb95820 a3=a items=2 ppid=21923 pid=21924
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts5 ses=1001 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.587:15661): avc: denied
{ search } for pid=21924 comm="puppetmasterd" name="/" dev=sysfs ino=1
scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_r:sysfs_t:s0 tclass=dir
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.588:15662): item=1
name=(null) inode=1 dev=00:00 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_ubject_r:sysfs_t:s0
node=example.com type=PATH msg=audit(1314027487.588:15662): item=0
name="./sys/admin.so"
node=example.com type=CWD msg=audit(1314027487.588:15662): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.588:15662):
arch=c000003e syscall=4 success=no exit=-13 a0=7fdbe8bbb780
a1=7fffadb95820 a2=7fffadb95820 a3=a items=2 ppid=21923 pid=21924
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts5 ses=1001 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.588:15662): avc: denied
{ search } for pid=21924 comm="puppetmasterd" name="/" dev=sysfs ino=1
scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_r:sysfs_t:s0 tclass=dir
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.832:15663): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.832:15663): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.832:15663):
arch=c000003e syscall=4 success=no exit=-13 a0=c65090 a1=7fffadb72020
a2=7fffadb72020 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.832:15663): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.839:15664): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.839:15664): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.839:15664):
arch=c000003e syscall=4 success=no exit=-13 a0=c271f0 a1=7fffadb71fd0
a2=7fffadb71fd0 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.839:15664): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.842:15665): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.842:15665): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.842:15665):
arch=c000003e syscall=4 success=no exit=-13 a0=fe0cc0 a1=7fffadb66a50
a2=7fffadb66a50 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.842:15665): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.844:15666): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.844:15666): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.844:15666):
arch=c000003e syscall=4 success=no exit=-13 a0=94ee50 a1=7fffadb59300
a2=7fffadb59300 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.844:15666): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.847:15667): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.847:15667): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.847:15667):
arch=c000003e syscall=4 success=no exit=-13 a0=d4c5f0 a1=7fffadb5a270
a2=7fffadb5a270 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.847:15667): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file
----
time->Mon Aug 22 15:38:07 2011
node=example.com type=PATH msg=audit(1314027487.848:15668): item=0
name="/usr/bin/chage" inode=3672318 dev=fd:00 mode=0104755 ouid=0 ogid=0
rdev=00:00 obj=system_ubject_rasswd_exec_t:s0
node=example.com type=CWD msg=audit(1314027487.848:15668): cwd="/"
node=example.com type=SYSCALL msg=audit(1314027487.848:15668):
arch=c000003e syscall=4 success=no exit=-13 a0=aa8d80 a1=7fffadb56c00
a2=7fffadb56c00 a3=81 items=1 ppid=21923 pid=21924 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=1001
comm="puppetmasterd" exe="/usr/bin/ruby"
subj=unconfined_u:system_ruppetmaster_t:s0 key=(null)
node=example.com type=AVC msg=audit(1314027487.848:15668): avc: denied
{ getattr } for pid=21924 comm="puppetmasterd" path="/usr/bin/chage"
dev=dm-0 ino=3672318 scontext=unconfined_u:system_ruppetmaster_t:s0
tcontext=system_ubject_rasswd_exec_t:s0 tclass=file


Anyone else? Just want to confirm before I file a bug.

Thanks,

-Erinn

_______________________________________________
epel-devel-list mailing list
epel-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/epel-devel-list
 
Old 08-22-2011, 03:45 PM
Jonathan Underwood
 
Default Puppet SELinux denials, anyone else seeing this

On 22 August 2011 16:41, Erinn Looney-Triggs
<erinn.looneytriggs@gmail.com> wrote:
> Just wondered if anyone else was running into issues with puppetmaster
> and SELinux:
>
> rpm -q puppet-server
> puppet-server-2.6.6-1.el6.noarch

Yep, I had to generate a local puppet module to get this puppet
package working on el6:

module puppetlocal 1.0;

require {
type puppetmaster_t;
type puppet_var_lib_t;
type cobblerd_t;
type httpd_sys_content_t;
type node_t;
type sysfs_t;
type port_t;
type cert_t;
class dir { remove_name search };
class udp_socket { name_bind node_bind };
class file { create setattr };
}

#============= cobblerd_t ==============
#!!!! This avc is allowed in the current policy

allow cobblerd_t cert_t:dir search;
#!!!! This avc is allowed in the current policy

allow cobblerd_t httpd_sys_content_t:dir remove_name;
#!!!! This avc is allowed in the current policy

allow cobblerd_t httpd_sys_content_t:file { create setattr };
#!!!! This avc is allowed in the current policy

allow cobblerd_t puppet_var_lib_t:dir search;
#!!!! This avc is allowed in the current policy

allow cobblerd_t sysfs_t:dir search;

#============= puppetmaster_t ==============
allow puppetmaster_t node_t:udp_socket node_bind;
allow puppetmaster_t port_t:udp_socket name_bind;

_______________________________________________
epel-devel-list mailing list
epel-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/epel-devel-list
 
Old 08-22-2011, 04:14 PM
Orion Poplawski
 
Default Puppet SELinux denials, anyone else seeing this

On 08/22/2011 09:41 AM, Erinn Looney-Triggs wrote:

Just wondered if anyone else was running into issues with puppetmaster
and SELinux:

rpm -q puppet-server
puppet-server-2.6.6-1.el6.noarch

Anyone else? Just want to confirm before I file a bug.



See https://bugzilla.redhat.com/show_bug.cgi?id=718390

--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA Division FAX: 303-415-9702
3380 Mitchell Lane orion@cora.nwra.com
Boulder, CO 80301 http://www.cora.nwra.com

_______________________________________________
epel-devel-list mailing list
epel-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/epel-devel-list
 

Thread Tools




All times are GMT. The time now is 10:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org