Issue #1563 has been updated by seanmil.
It is enough to convince me that the patch won't always suffice. However,
since I don't see a reliable way of working with SELinux-confined processes
using file-based IO I kept digging. I contacted wyvern (from bug 662) and he
told me that the original problem he was having was on Debian Etch with the
osirisd package so I downloaded an Etch installed and created myself a test bed
system. I WAS able to reliably reproduce the problem, both with the original
Puppet code and my patch.
If you add a "require 'io/nonblock'" and a "poutput[0].nonblock = true" before
the first poutput[0].read call then I can not reproduce the
Puppet-freezes-forever problem on the Debian system and it satisfies the
no-tempfile design for SELinux.
There is only one sticking point so far. For the "package { "osirisd": ensure
=> latest }" case listed in 662 the non-blocking I/O method causes the package
installation to not complete successfully. If I add a sleep(10) in between two
successive calls to read then the osirisd package is successfully installed.
Also, if I put a sleep(10) before the first call to read and don't make the
second call then the package is also successfully installed.
I have tried using select() to check and see if there is data waiting to be
read, but it seems to always return that there is.
I'm not sure how to fix that case elegantly yet. There may not be a way other
then to sleep for a few seconds by default (and optionally have a parameter to
specify the sleep delay?). The waitpid2 calls seems to be returning before the
command is really done. I haven't figured that one out yet, but I'll poke at
it a bit more.
----------------------------------------
Bug #1563: [PATCH] Change Util::Execute to use pipes instead of temporary files
for capturing output
http://reductivelabs.com/redmine/issues/show/1563
Author: seanmil
Status: Needs more information
Priority: High
Assigned to: luke
Category: plumbing
Target version: 0.24.6
Complexity: Easy
Affected version: 0.24.5
Keywords: SELinux execute Tempfile
Patch attached to fix reported behavior.
When triggering Puppet runs which included initscript starts/stops I noticed
that I would receive three SELinux AVC denials logged for the process that was
being started/stopped for a file of the form /tmp/puppet.$PID.0. Many of the
system daemons which ship with CentOS 5 have confined SELinux domains which
don't permit access to much of the system - including these Puppet temp files.
Trying to figure out where to create the file (and with which context) for
every service would be impractical (impossible? some services may not have any
context that would be usable for write permissions) so I decided to just
rewrite it to use Unix pipes.
WorksForMe in my testing.
I'm marking this as high because, depending on what commands are being run and
their SELinux policies, this could cause command output to silently disappear
(other then the denials in the logs). This could be very frustrating for
someone who is trying to use that output.
----------------------------------------
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://reductivelabs.com/redmine/my/account
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en
-~----------~----~----~----~------~----~------~--~---
