Issue #19596 has been updated by Dominic Cleal.
This is perhaps not the best place for such a discussion, however the targeted policy is part of the supported OS. Point out the correct policy in EL6 ([RHBZ#874419](https://bugzilla.redhat.com/show_bug.cgi?id=874419) looks related) and request a backport of the fix to EL5. Puppet doesn't ship its own policy, so there's not much we can do within the project. Feel free to e-mail me if you get stuck (address on profile). ---------------------------------------- Bug #19596: SELinux alert with Puppet 3.1.0 during mcollective/puppet agent run. https://projects.puppetlabs.com/issues/19596#change-86729 Author: Stefan Heijmans Status: Rejected Priority: Normal Assignee: Category: SELinux Target version: Affected Puppet version: 3.1.0 Keywords: Branch: <pre>Hello, We upgraded from Puppet (opensource) 2.7.20 to 3.1.0 in our sandbox server running on RHEL59. When we do a puppet run through MCollective (2.2.3) with the puppet agent (1.5.0), we see some SELinux alerts, we did not experience this on 2.7.20. Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.9 (Tikanga) # uname -a Linux <server> 2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012 x86_64 x86_64 x86_64 GNU/Linux # # rpm -qa|grep mcollective |sort mcollective-2.2.3-1.el5 mcollective-common-2.2.3-1.el5 mcollective-filemgr-agent-1.0.1-1 mcollective-filemgr-common-1.0.1-1 mcollective-package-agent-4.1.0-1 mcollective-package-common-4.1.0-1 mcollective-puppet-agent-1.5.0-1 mcollective-puppet-common-1.5.0-1 mcollective-service-agent-3.1.1-1 mcollective-service-common-3.1.1-1 # rpm -q puppet puppet-2.7.20-1.el5 # MCollective puppet agent run on 2.7.20 mco puppet runonce --wi [hostname] /var/log/messages Mar 6 15:49:31 <server> puppet-agent[3616]: Reopening log files Mar 6 15:50:00 <server> puppet-agent[3616]: Finished catalog run in 16.25 seconds MCollective puppet agent run on 3.1.0 mco puppet runonce --wi [hostname] /var/log/messages Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:11 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:12 <server> setroubleshoot: SELinux is preventing the ip from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:13 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:13 <server> setroubleshoot: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). For complete SELinux messages. run sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Mar 6 15:52:28 <server> puppet-agent[4439]: Finished catalog run in 13.53 seconds # sealert -l 1fe53c21-b437-4e1e-ab04-9009abf22a2f Summary: SELinux is preventing the ifconfig from using potentially mislabeled files (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). Detailed Description: SELinux has denied ifconfig access to potentially mislabeled file(s) (2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429). This means that SELinux will not allow ifconfig to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want ifconfig to access this files, you need to relabel them using restorecon -v '2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429'. You might want to relabel the entire directory using restorecon -R -v ''. Additional Information: Source Context system_u:system_r:ifconfig_t Target Context system_u:object_r:initrc_tmp_t Target Objects 2F746D702F73797374656D755F7A6D6F6D673130392E6F2D72 6563687473707261616B2E6D696E6A75732E6E6C5F39393638 5F393936395F302E303332363030353233323431343238315F 312F737464696E202864656C6574656429 [ file ] Source ifconfig Source Path /sbin/ifconfig Port <Unknown> Host <server> Source RPM Packages net-tools-1.60-82.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-338.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name <server> Platform Linux <server> 2.6.18-348.el5 #1 SMP Wed Nov 28 21:22:00 EST 2012 x86_64 x86_64 Alert Count 36 First Seen Wed Mar 6 15:52:11 2013 Last Seen Wed Mar 6 15:52:12 2013 Local ID 1fe53c21-b437-4e1e-ab04-9009abf22a2f Line Numbers Raw Audit Messages host=<server> type=AVC msg=audit(1362581532.125:2901): avc: denied { read } for pid=4805 comm="ifconfig" path=2F746D702F73797374656D755F7A6D6F6D673130392E6F2D726563687473707261616B2E6D696E6A75732E6E6C5F393936385F393936395F302E303332363030353233323431343238315F312F737464696E202864656C6574656429 dev=dm-3 ino=425986 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file host=<server> type=SYSCALL msg=audit(1362581532.125:2901): arch=c000003e syscall=59 success=yes exit=0 a0=ed83210 a1=ed83650 a2=ed83280 a3=0 items=0 ppid=4804 pid=4805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ifconfig" exe="/sbin/ifconfig" subj=system_u:system_r:ifconfig_t:s0 key=(null) Also tested the same on CENTOS59 with the same result. What could cause this? Regards, Stefan </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
