Bug 491532

Summary: puppet, files and selinux
Product: [Fedora] Fedora Reporter: Edouard Bourguignon <madko>
Component: puppetAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: k.georgiou, tmz, vanmeeuwen+fedora
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-24 04:48:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Edouard Bourguignon 2009-03-22 18:48:32 UTC 
Description of problem:

I've got a strange problem on some hosts. Puppet clients connect to the puppet master server, grab their catalog, but don't even try to download their files from puppet fileserver (source or template). 

Log on the puppet master (client SELINUX=enforcing or permissive):
--------------------------------------------------------------------------------
Mar 22 19:21:40 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:21:40 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:20:40 +0100 2009
Mar 22 19:21:40 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module network
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module smarthost
Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module yum-updatesd
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module munin-node
Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func
Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func
Mar 22 19:21:42 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 1.35 seconds
--------------------------------------------------------------------------------

Now, if I set SeLinux to disabled on those clients, it works perfectly.

Log on the puppet master (client SELINUX=disabled):
--------------------------------------------------------------------------------
Mar 22 19:26:36 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:26:36 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:25:36 +0100 2009
Mar 22 19:26:36 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:26:37 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.60 seconds
Mar 22 19:26:39 master puppetmasterd[25060]: (mount[func]) Sending /func/minion.conf to taygeta.in.my.domain.net
Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/hosts(77e5627ac7ecb8272537b0c21df17509) from taygeta.in.my.domain.net
Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/munin/munin-node.conf(d3c68bb49ead97ed80dc09ff93dd7677) from taygeta.in.my.domain.net
Mar 22 19:27:49 master puppetmasterd[25060]: (mount[smarthost]) Sending /smarthost/aliases to taygeta.in.my.domain.net
Mar 22 19:28:20 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/yum/yum-updatesd.conf(6561f7f46ec1c661100bdba640329d50) from taygeta.in.my.domain.net
Mar 22 19:28:21 master puppetmasterd[25060]: (mount[func]) Sending /func/func_minion.conf to taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:28:15 +0100 2009
Mar 22 19:29:15 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:29:16 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.61 seconds
--------------------------------------------------------------------------------

It's strange because there's nothing in the audit.log saying that selinux has denied any action to puppetd. Moreover, if I try:
# puppetd --test --server master
It works!

Version-Release number of selected component (if applicable):
puppet-0.24.7-4.fc10.noarch
puppet-0.24.7-5.fc11.noarch

How reproducible:
seems static

Steps to Reproduce:
1. boot with SELINUX=enforcing or SELINUX=permissive
2. make some changes in files provided by the puppet master
3. start puppet on the client
4. reboot with SELINUX=disabled
5. start puppet on the client
  
Actual results:
Files are not downloaded or written on the client

Expected results:
Files should be downloaded and written on the client
Comment 1 Todd Zullinger 2009-03-22 20:43:23 UTC 
This sounds similar to the problem from upstream ticket 1963¹.  This is fixed in the current 0.24.8rc1 (which is slated to be released as 0.24.8 in the next day or so).  If you can, you might want to test the packages I made for 0.24.8rc1 and see if the problem persists.  Those packages are at:

    http://tmz.fedorapeople.org/repo/puppet/

¹ http://projects.reductivelabs.com/issues/show/1963
Comment 2 Edouard Bourguignon 2009-03-23 07:46:01 UTC 
I have upgraded my clients to puppet-0.24.8-0.1.rc1.fc10.noarch.rpm and it works perfectly with selinux. Thank you!
Comment 3 Todd Zullinger 2009-03-24 04:48:23 UTC 
Thanks for testing and confirming this fixed the problem.  Puppet 0.24.8 was released yesterday and has been built for rawhide¹.  It might take a few days or so for it to show up due to the F11 Beta freeze.

¹ https://koji.fedoraproject.org/koji/buildinfo?buildID=95192