[Puppet - Bug #19596] (Unreviewed) SELinux alert with Puppet 3.1.0 during mcollective/puppet agent run.

[tickets]

Issue #19596 has been reported by Stefan Heijmans.

----------------------------------------
Bug #19596: SELinux alert with Puppet 3.1.0 during mcollective/puppet agent run.
https://projects.puppetlabs.com/issues/19596

Author: Stefan Heijmans
Status: Unreviewed
Priority: Normal
Assignee: 
Category: 
Target version: 
Affected Puppet version: 3.1.0
Keywords: 
Branch: 


<pre>Hello,

We upgraded from Puppet (opensource) 2.7.20 to 3.1.0 in our sandbox server 
running on RHEL59.
When we do a puppet run through MCollective (2.2.3) with the puppet agent 
(1.5.0), we see some SELinux alerts, we did not experience this on 2.7.20.
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)
# uname -a
Linux <server> 2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012 x86_64 x86_64 
x86_64 GNU/Linux
#

# rpm -qa|grep mcollective |sort
mcollective-2.2.3-1.el5
mcollective-common-2.2.3-1.el5
mcollective-filemgr-agent-1.0.1-1
mcollective-filemgr-common-1.0.1-1
mcollective-package-agent-4.1.0-1
mcollective-package-common-4.1.0-1
mcollective-puppet-agent-1.5.0-1
mcollective-puppet-common-1.5.0-1
mcollective-service-agent-3.1.1-1
mcollective-service-common-3.1.1-1
# rpm -q puppet
puppet-2.7.20-1.el5
#

MCollective puppet agent run on 2.7.20
mco puppet runonce --wi [hostname]
/var/log/messages
Mar  6 15:49:31 <server> puppet-agent[3616]: Reopening log files
Mar  6 15:50:00 <server> puppet-agent[3616]: Finished catalog run in 16.25 
seconds

MCollective puppet agent run on 3.1.0
mco puppet runonce --wi [hostname]
/var/log/messages
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:11 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from 
using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:13 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:13 <server> setroubleshoot: SELinux is preventing the ifconfig 
from using potentially mislabeled files 
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
 For complete SELinux messages. run sealert -l 
1fe53c21-b437-4e1e-ab04-9009abf22a2f
Mar  6 15:52:28 <server> puppet-agent[4439]: Finished catalog run in 13.53 
seconds


# sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f

Summary:

SELinux is preventing the ifconfig from using potentially mislabeled files
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).

Detailed Description:

SELinux has denied ifconfig access to potentially mislabeled file(s)
(2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429).
This means that SELinux will not allow ifconfig to use these files. It is common
for users to edit files in their home directory or tmp directories and then move
(mv) them to system directories. The problem is that the files end up with the
wrong file context which confined applications are not allowed to access.

Allowing Access:

If you want ifconfig to access this files, you need to relabel them using
restorecon -v
'2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429'.
You might want to relabel the entire directory using restorecon -R -v ''.

Additional Information:

Source Context                system_u:system_r:ifconfig_t
Target Context                system_u:object_r:initrc_tmp_t
Target Objects                2F746D702F73797374656D755F7A6D6F6D673130392E6F2D72
                              6563687473707261616B2E6D696E6A75732E6E6C5F39393638
                              5F393936395F302E303332363030353233323431343238315F
                              312F737464696E202864656C6574656429 [ file ]
Source                        ifconfig
Source Path                   /sbin/ifconfig
Port                          <Unknown>
Host                          <server>
Source RPM Packages           net-tools-1.60-82.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-338.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     <server>
Platform                      Linux <server>
                              2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012
                              x86_64 x86_64
Alert Count                   36
First Seen                    Wed Mar  6 15:52:11 2013
Last Seen                     Wed Mar  6 15:52:12 2013
Local ID                      1fe53c21-b437-4e1e-ab04-9009abf22a2f
Line Numbers

Raw Audit Messages

host=<server> type=AVC msg=audit(1362581532.125:2901): avc:  denied  { read } 
for  pid=4805 comm="ifconfig" 
path=2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429
 dev=dm-3 ino=425986 scontext=system_u:system_r:ifconfig_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

host=<server> type=SYSCALL msg=audit(1362581532.125:2901): arch=c000003e 
syscall=59 success=yes exit=0 a0=ed83210 a1=ed83650 a2=ed83280 a3=0 items=0 
ppid=4804 pid=4805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" 
subj=system_u:system_r:ifconfig_t:s0 key=(null)

Also tested the same on CENTOS59 with the same result.

What could cause this?

Regards,
Stefan
</pre>


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.