Issue #13308 has been updated by Eric Shamow.
I can't reproduce this bug. Tried first in PE, then with the (near) identical
FOSS setup. One thing I'd note is that the command entered here - `mco puppetd
—wi runonce` - won't work. --wi is intended to specify an identity. So in the
below case, from my master, I run `mco puppetd runonce --wi
pe-centos5.localdomain`. I can't see that impacting the substance of the
ticket - and it's probably a typo - but worth pointing out.
The only potential cause I can imagine here is that the mco puppetd provider
hits /usr/sbin/puppetd instead of "puppet agent" but again I'd imagine we'd
have seen the problem in my testing.
My setup/results:
[root@pe-centos5 mcollective]# rpm -qa|grep -e puppet -e mcollective
puppet-2.7.11-2.el5
mcollective-common-1.2.1-1.el5
mcollective-1.2.1-1.el5
[root@pe-centos5 mcollective]# uname -a
Linux pe-centos5.localdomain 2.6.18-274.18.1.el5 #1 SMP Thu Feb 9 12:45:52
EST 2012 i686 i686 i386 GNU/Linux
[root@pe-centos5 mcollective]# facter | grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21
[root@pe-centos5 mcollective]# chkconfig --list nscd
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@pe-centos5 mcollective]# service nscd status
nscd is stopped
Mar 29 16:30:09 pe-centos5 puppet-agent[4066]: Reopening log files
Mar 29 16:31:31 pe-centos5 puppet-agent[4066]:
(/Stage[main]/Tst/User[root]/password) changed password
Mar 29 16:31:31 pe-centos5 puppet-agent[4066]: Finished catalog run in 0.10
seconds
This works for non-root users as well.
----------------------------------------
Bug #13308: mcollective/puppetd 2.7.11-2 & RHEL57 SELinux alert
https://projects.puppetlabs.com/issues/13308#change-58953
Author: Stefan Heijmans
Status: Investigating
Priority: Normal
Assignee: Michael Stahnke
Category:
Target version:
Affected Puppet version:
Keywords:
Branch: 2.7.11-2
Hello,
We are running Puppet 2.7.11-2 on RHEL57 x86_64 with MCollective (on client and
server);
On the client;
# rpm -qa|grep -e puppet -e mcollective
mcollective-common-1.2.1-1.el5
puppet-2.7.11-2.el5
mcollective-1.2.1-1.el5
#
with kernel;
Linux <hostname> 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64
x86_64 x86_64 GNU/Linux
with SELinux enabled.
# facter|grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21
#
In one of our manifest we set the password for some users.
When we do a puppet-run from the puppetmaster with the mcollective plugin
puppetd; 'mco puppetd --wi <hostname> runonce'
we get the following (reproducible) SELinux Alert.
--------------------------------------------------------------------------------
Summary:
SELinux is preventing the nscd from using potentially mislabeled files
(/tmp/puppet.30676.0).
Detailed Description:
SELinux has denied nscd access to potentially mislabeled file(s)
(/tmp/puppet.30676.0). This means that SELinux will not allow nscd to use
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is
that
the files end up with the wrong file context which confined applications
are not
allowed to access.
Allowing Access:
If you want nscd to access this files, you need to relabel them using
restorecon
-v '/tmp/puppet.30676.0'. You might want to relabel the entire directory
using
restorecon -R -v '/tmp'.
Additional Information:
Source Context system_u:system_r:nscd_t
Target Context system_u:object_r:initrc_tmp_t
Target Objects /tmp/puppet.30676.0 [ file ]
Source nscd
Source Path /usr/sbin/nscd
Port <Unknown>
Host <Unknown>
Source RPM Packages nscd-2.5-65.el5_7.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name <hostname>
Platform Linux <hostname>
2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST
2012 x86_64 x86_64
Alert Count 4
First Seen Tue Mar 20 17:13:25 2012
Last Seen Tue Mar 20 17:13:25 2012
Local ID fdec3437-c40e-407e-ab3c-f998cf0a49f5
Line Numbers 10078, 10079, 10080, 10082, 10083, 10084,
10085,
10086, 10087, 10089, 10090, 10091, 10092, 10093,
10094, 10096, 10097, 10098, 10099, 10100, 10101,
10103, 10104, 10105
Raw Audit Messages
type=AVC msg=audit(1332260005.415:16748): avc: denied { read write } for
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1332260005.415:16748): avc: denied { read write } for
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1332260005.415:16748): arch=c000003e syscall=59
success=yes exit=0 a0=40e9de a1=7fff4f96d120 a2=7fff4f96d150 a3=0 items=2
ppid=31024 pid=31028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd"
exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key="nscd_called-up"
type=CWD msg=audit(1332260005.415:16748): cwd="/"
type=PATH msg=audit(1332260005.415:16748): item=0 name="/usr/sbin/nscd"
inode=721057 dev=fd:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:nscd_exec_t:s0
type=PATH msg=audit(1332260005.415:16748): item=1 name=(null) inode=196612
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0
--------------------------------------------------------------------------------
The problem is that the temporary puppet file (/tmp/puppet.30676.0) gets a
SELinux label initrc_tmp_t
which the nscd daemon is not allowed to access.
ncsd is default off;
# chkconfig --list nscd
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# service nscd status
nscd is stopped
#
When we run puppet locally with 'puppet agent -t' we don't get the SELinux
alert, as the temporary puppet file is now written with the tmp_t
SELinux label.
I've talked with Red Hat support about and they say in-the-end, the following
about it;
>>As I had stated before, the 'puppet' software is not provided by Red Hat, and
>>the SELinux rules required
>>for the current observed access is not available in Red Hat Enterprise Linux
>>5. The vendor of the software
>>has to ensure that the software is built to adhere to the current SELinux
>>policy rules available in Red Hat Enterprise Linux 5.
They also mention it is fixed in RHEL6 but that's not an option (yet).
Anyone has a fix for it on RHEL5?
Regards,
Stefan
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
