Issue #1563 has been updated by seanmil.
Are you referring to the patch posted to puppet-dev to close FDs 3 - 256? If so, then that will solve one of the three denial messages I was noticing. The one file descriptor I can tell you that always leaked was the Tempfile created in util::execute(). The child process needs to call output_file.close before execing but after getting duped on to stdout and stderr. If it is possible for other FDs to leak into the children I haven't noticed it yet. stdout and stderr are the real "problems". We either need to decide that capturing output is always unnecessary and always call execute with ":squelch = true" or make sure the system resource that is passed to the subprocess for stdout and stderr will be allowed for write in all SELinux domains. Unnamed pipes seem to be always allowed since that is an extremely common way for two programs to talk, which is why I originally went that direction. Files seem doable with a custom policy. I've made some minimal progress on a puppet SELinux policy so far. I expect/hope to have something simple but functional this week. ---------------------------------------- Bug #1563: [PATCH] Change Util::Execute to use pipes instead of temporary files for capturing output http://projects.reductivelabs.com/issues/show/1563 Author: seanmil Status: Needs more information Priority: High Assigned to: luke Category: plumbing Target version: 0.24.6 Complexity: Easy Affected version: 0.24.5 Keywords: SELinux execute Tempfile Patch attached to fix reported behavior. When triggering Puppet runs which included initscript starts/stops I noticed that I would receive three SELinux AVC denials logged for the process that was being started/stopped for a file of the form /tmp/puppet.$PID.0. Many of the system daemons which ship with CentOS 5 have confined SELinux domains which don't permit access to much of the system - including these Puppet temp files. Trying to figure out where to create the file (and with which context) for every service would be impractical (impossible? some services may not have any context that would be usable for write permissions) so I decided to just rewrite it to use Unix pipes. WorksForMe in my testing. I'm marking this as high because, depending on what commands are being run and their SELinux policies, this could cause command output to silently disappear (other then the denials in the logs). This could be very frustrating for someone who is trying to use that output. ---------------------------------------- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
