Bug 507499

Summary: Puppet Appears To Cause ifconfig_t errors in Selinux When Host Runs Enforcing Mode
Product: [Fedora] Fedora Reporter: Bob Cochran <cochranb>
Component: puppetAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, k.georgiou, tmz, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-24 14:29:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Text of sealert related to this bug none

Description Bob Cochran 2009-06-23 01:28:00 UTC
Description of problem:

Each time the puppetd process (from package 'puppet') does its half-hourly checkin with the puppetmaster server, a large number of ifconfig_t denials are experienced when the host machine is running SELinux full enforcing mode. It generates only two such messages if the host machine is running in permissive mode. 

Sample messages:

Jun 22 20:36:49 deafeng3 puppetmasterd[2317]: Compiled catalog for deafeng7.signtype.info in 0.00 seconds
Jun 22 20:43:36 deafeng3 puppetmasterd[2317]: Compiled catalog for deafeng3.signtype.info in 0.00 seconds
Jun 22 20:43:36 deafeng3 puppetd[2594]: Starting catalog run
Jun 22 20:43:36 deafeng3 puppetd[2594]: Finished catalog run in 0.02 seconds
Jun 22 20:43:37 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:37 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:45 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:45 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 21:04:10 deafeng3 kernel: CE: hpet increasing min_delta_ns to 75936 nsec



Version-Release number of selected component (if applicable):

puppet-0.24.8-1.fc11.noarch

How reproducible:

Always happens, but possibly not on each puppet checkin. Numerous denials in full enforcing mode.

Steps to Reproduce:
1. Start puppet client on a machine which runs SELinux in full enforcing mode.
2. Allow client to attempt to connect to puppetmaster server.
3. 
  
Actual results:

AVC denials will be produced as shown above.

Expected results:

Puppet client should run without avc denials regardless of SELinux mode.

Additional info:

This problem appears to be associated with puppetd, but I notice that avc messages don't show up after some puppet checkins, but it does seem to follow other checkins. I also noticed this same type of error after I stopped the puppet server while trying to fix DNS and firewall problems of my own making that were preventing puppet from connecting to the puppetmaster.

An attachment containing the sealert output that the AVC messages suggest is supplied.

I am cc'ing Dan Waslsh since this would seem to involve him. And I could be wrong about which component is producing the denials.

Comment 1 Bob Cochran 2009-06-23 01:29:05 UTC
Created attachment 349023 [details]
Text of sealert related to this bug

Comment 2 Daniel Walsh 2009-06-23 20:46:39 UTC
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11

Comment 3 Bob Cochran 2009-06-24 02:12:53 UTC
Dan, thanks a lot. Here is what I did on two different machines (my puppetmaster server and a second Fedora 11, i386 machine acting mainly as a puppet client right now:)

[root@deafeng3 ~]# grep avc /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@deafeng3 ~]# semodule -i mypol.pp
[root@deafeng3 ~]# 


I believe these messages in /var/log/messages might be related to the above:

Jun 23 22:04:01 deafeng3 dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Jun 23 22:04:01 deafeng3 dbus: avc:  received policyload notice (seqno=2)
Jun 23 22:04:01 deafeng3 dbus: Reloaded configuration

The above is for my puppetmaster server machine. On the client machine, I got the same messages, but the 'recieved policyload notice' message appeared first followed by the 'Can't send to audit system' message followed by the 'Reloaded configuration' message. 

I'll keep an eye out for the avc denial messages and report any that show up. Hopefully I can return both machines to enforcing mode.

Bob

Comment 4 Jeroen van Meeuwen 2009-06-24 14:28:55 UTC
I believe this is resolved then? If not, please reopen. Thanks!

Comment 5 Jeroen van Meeuwen 2009-06-24 14:29:10 UTC
I believe this is resolved then? If not, please reopen. Thanks!