Issue #13308 has been updated by Stefan Heijmans.
Eric,
We've upgraded our environment a bit and are now running RHEL58 with kernel
2.6.18-308.8.1.el5.
Have tested this morning with the following packages installed;
facter-1.6.10-1.el5
mcollective-2.0.0-1.el5
mcollective-common-2.0.0-1.el5
puppet-2.7.17-1.el5
We also updated the Mcollective puppetd agent to the new version 1.7 which uses
puppet instead of puppetd.
<pre>
# locate puppetd.rb
/usr/libexec/mcollective/mcollective/agent/puppetd.rb
# cat /usr/libexec/mcollective/mcollective/agent/puppetd.rb
module MCollective
module Agent
# An agent to manage the Puppet Daemon
#
# Configuration Options:
# puppetd.splaytime - Number of seconds within which to splay; no splay
# by default
# puppetd.statefile - Where to find the state.yaml file; defaults to
# /var/lib/puppet/state/state.yaml
# puppetd.lockfile - Where to find the lock file; defaults to
# /var/lib/puppet/state/puppetdlock
# puppetd.puppetd - Where to find the puppet agent binary; defaults to
# /usr/bin/puppet agent
# puppetd.summary - Where to find the summary file written by Puppet
# 2.6.8 and newer; defaults to
# /var/lib/puppet/state/last_run_summary.yaml
# puppetd.pidfile - Where to find puppet agent's pid file; defaults to
# /var/run/puppet/agent.pid
class Puppetd<RPC::Agent
metadata :name => "Puppet Controller Agent",
:description => "Run puppet agent, get its status, and
enable/disable it",
:author => "R.I.Pienaar",
:license => "Apache License 2.0",
:version => "1.7",
:url =>
"http://projects.puppetlabs.com/projects/mcollective-plugins/wiki/AgentPuppetd";,
:timeout => 30
def startup_hook
@splaytime = @config.pluginconf["puppetd.splaytime"].to_i || 0
@lockfile = @config.pluginconf["puppetd.lockfile"] ||
"/var/lib/puppet/state/puppetdlock"
@statefile = @config.pluginconf["puppetd.statefile"] ||
"/var/lib/puppet/state/state.yaml"
@pidfile = @config.pluginconf["puppet.pidfile"] ||
"/var/run/puppet/agent.pid"
@puppetd = @config.pluginconf["puppetd.puppetd"] || "/usr/bin/puppet
agent"
@last_summary = @config.pluginconf["puppet.summary"] ||
"/var/lib/puppet/state/last_run_summary.yaml"
end
</pre>
When I run puppet throug mcollective, I see that the puppet binary is used;
<pre>
root 14121 1 44 10:10 ? 00:00:01 /usr/bin/ruby /usr/bin/puppet
agent --onetime
</pre>
These are the installed puppet/puppetd binaries;
<pre>
puppet
# ls -lZ /usr/bin/puppet
-rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/puppet
# ls -l /usr/sbin/puppetd
-rwxr-xr-x 1 root root 84 Jun 20 02:04 /usr/sbin/puppetd
puppetd
# ls -lZ /usr/sbin/puppetd
-rwxr-xr-x root root system_u:object_r:sbin_t /usr/sbin/puppetd
# ls -l /usr/sbin/puppetd
-rwxr-xr-x 1 root root 84 Jun 20 02:04 /usr/sbin/puppetd
</pre>
The SELinux Alert still occurs;
<pre>
Jun 20 10:10:15 xxxxxxxx setroubleshoot: SELinux is preventing the nscd from
using potentially mislabeled files (/tmp/puppet.14121.0). For complete SELinux
messages. run sealert -l f6447ca5-ff6f-4b46-a65c-c518d63b9807
</pre>
Stefan
----------------------------------------
Bug #13308: mcollective/puppetd 2.7.11-2 & RHEL57 SELinux alert
https://projects.puppetlabs.com/issues/13308#change-65444
Author: Stefan Heijmans
Status: Accepted
Priority: Normal
Assignee: Matthaus Litteken
Category:
Target version:
Affected Puppet version:
Keywords:
Branch: 2.7.11-2
Hello,
We are running Puppet 2.7.11-2 on RHEL57 x86_64 with MCollective (on client and
server);
On the client;
# rpm -qa|grep -e puppet -e mcollective
mcollective-common-1.2.1-1.el5
puppet-2.7.11-2.el5
mcollective-1.2.1-1.el5
#
with kernel;
Linux <hostname> 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 x86_64
x86_64 x86_64 GNU/Linux
with SELinux enabled.
# facter|grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21
#
In one of our manifest we set the password for some users.
When we do a puppet-run from the puppetmaster with the mcollective plugin
puppetd; 'mco puppetd --wi <hostname> runonce'
we get the following (reproducible) SELinux Alert.
--------------------------------------------------------------------------------
Summary:
SELinux is preventing the nscd from using potentially mislabeled files
(/tmp/puppet.30676.0).
Detailed Description:
SELinux has denied nscd access to potentially mislabeled file(s)
(/tmp/puppet.30676.0). This means that SELinux will not allow nscd to use
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is
that
the files end up with the wrong file context which confined applications
are not
allowed to access.
Allowing Access:
If you want nscd to access this files, you need to relabel them using
restorecon
-v '/tmp/puppet.30676.0'. You might want to relabel the entire directory
using
restorecon -R -v '/tmp'.
Additional Information:
Source Context system_u:system_r:nscd_t
Target Context system_u:object_r:initrc_tmp_t
Target Objects /tmp/puppet.30676.0 [ file ]
Source nscd
Source Path /usr/sbin/nscd
Port <Unknown>
Host <Unknown>
Source RPM Packages nscd-2.5-65.el5_7.1
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name <hostname>
Platform Linux <hostname>
2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST
2012 x86_64 x86_64
Alert Count 4
First Seen Tue Mar 20 17:13:25 2012
Last Seen Tue Mar 20 17:13:25 2012
Local ID fdec3437-c40e-407e-ab3c-f998cf0a49f5
Line Numbers 10078, 10079, 10080, 10082, 10083, 10084,
10085,
10086, 10087, 10089, 10090, 10091, 10092, 10093,
10094, 10096, 10097, 10098, 10099, 10100, 10101,
10103, 10104, 10105
Raw Audit Messages
type=AVC msg=audit(1332260005.415:16748): avc: denied { read write } for
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=AVC msg=audit(1332260005.415:16748): avc: denied { read write } for
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3 ino=13
scontext=system_u:system_r:nscd_t:s0
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1332260005.415:16748): arch=c000003e syscall=59
success=yes exit=0 a0=40e9de a1=7fff4f96d120 a2=7fff4f96d150 a3=0 items=2
ppid=31024 pid=31028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd"
exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0 key="nscd_called-up"
type=CWD msg=audit(1332260005.415:16748): cwd="/"
type=PATH msg=audit(1332260005.415:16748): item=0 name="/usr/sbin/nscd"
inode=721057 dev=fd:07 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:nscd_exec_t:s0
type=PATH msg=audit(1332260005.415:16748): item=1 name=(null) inode=196612
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:ld_so_t:s0
--------------------------------------------------------------------------------
The problem is that the temporary puppet file (/tmp/puppet.30676.0) gets a
SELinux label initrc_tmp_t
which the nscd daemon is not allowed to access.
ncsd is default off;
# chkconfig --list nscd
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# service nscd status
nscd is stopped
#
When we run puppet locally with 'puppet agent -t' we don't get the SELinux
alert, as the temporary puppet file is now written with the tmp_t
SELinux label.
I've talked with Red Hat support about and they say in-the-end, the following
about it;
>>As I had stated before, the 'puppet' software is not provided by Red Hat, and
>>the SELinux rules required
>>for the current observed access is not available in Red Hat Enterprise Linux
>>5. The vendor of the software
>>has to ensure that the software is built to adhere to the current SELinux
>>policy rules available in Red Hat Enterprise Linux 5.
They also mention it is fixed in RHEL6 but that's not an option (yet).
Anyone has a fix for it on RHEL5?
Regards,
Stefan
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
