[prev in list] [next in list] [prev in thread] [next in thread]
List: puppet-users
Subject: Re: [Puppet-users] selinux: avc denials for puppet
From: Frank Sweetser <fs () WPI ! EDU>
Date: 2008-01-31 21:07:03
Message-ID: 47A23877.4040205 () wpi ! edu
[Download RAW message or body]
Johnny Tan wrote:
> For those running selinux, have you seen these in your logs
> whenever puppetd runs:
>
> type=AVC msg=audit(01/30/2008 16:37:03.193:877) : avc:
> denied { write } for pid=14469 comm=semanage
> path=/tmp/puppet.14421.0 dev=dm-3 ino=18
> scontext=root:system_r:semanage_t:s0-s0:c0.c1023
> tcontext=root:object_r:tmp_t:s0 tclass=file
>
> It seems to be caused when puppetd tries to write to /tmp (I
> assume it keeps some sort of state information here
> temporarily?).
Basically, puppet uses temporary files to capture output of commands. IE,
when running command "foo" it does
foo > /tmp/puppet.$$
and then picks up the contents of /tmp/puppet.$$ after the command has
completed. However, a number of commands, including semanage, are restricted
by SELinux policy from writing out to any files, even temporary files.
If you're writing your own native type, you can check out how I worked around
it in the provider for my selmodule type:
http://spook.wpi.edu
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic