On Jun 10, 2009, at 6:34 PM, Todd Zullinger wrote:
> rlh100 wrote:
>> But in the /var/log/messages file I got the following SELinux error:
>> Jun 10 16:09:13 vopssrv-02 setroubleshoot: SELinux is preventing the
>> rndc from using potentially mislabeled files (/tmp/puppet.5020.0).
>> For
>> complete SELinux messages. run sealert -l 67cf31ee-
>> d618-4df7-87cf-777f5abcf277
>>
>> Which sealert translated to:
>> SELinux is preventing the rndc from using potentially mislabeled
>> files
>> (/tmp/puppet.5020.0).
>> . . .
>> Allowing Access:
>> If you want rndc to access this files, you need to relabel them using
>> restorecon
>> -v '/tmp/puppet.5020.0'. You might want to relabel the entire
>> directory using
>> restorecon -R -v '/tmp'.
>>
>> Having seen a similar problem with nagios and ping:
>>> This is a classic leaked file descriptor. Obviously ping has no
>>> business
>>> reading the nagios spool file, it would know nothing about this
>>> file, but nagios has a open file descriptor to the fifo_file when it
>>> execs ping. ping inherits the open file descriptor. The kernel
>>> checks
>>> the ping policy to see if ping can read the fifo file, when it
>>> finds it
>>> can not, it reports a violation, closes the file desctriptor for
>>> ping
>>> and reopens it with /dev/null. It then completes the startup of
>>> ping.
>>
>>> You should report this as a bug to nagios. They should execute
>>> fcntl(fd, F_SETFD, FD_CLOEXEC) on all open file descriptors before
>>> fork/exec of any subprocess.
>>
>> So does this make any sense to one of the ruby programmers among you?
>
> FWIW, the general issue of leaked file descriptors was reported by
> Fedora/RHEL SELinux maintainer Dan Walsh in the Red Hat bugzilla as
> https://bugzilla.redhat.com/show_bug.cgi?id=460039.
Yeah, looks like a file descriptor problem.
What version of Puppet is the original poster using? I think we've
fixed bugs related to this in recent releases.
--
Zeilinger's Fundamental Law:
There is no Fundamental Law.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
