Bug 669772

Summary: puppetmaster needs to write to mysql socket
Product: [Fedora] Fedora Reporter: Ruben Kerkhof <ruben>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-101.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-02 22:31:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruben Kerkhof 2011-01-14 17:46:24 UTC 
Description of problem:

We're using the 'storedconfigs' option of puppet to store facts in a mysql database.

When starting puppetmaster, this triggers the following AVCs:

type=AVC msg=audit(1295026430.574:161288): avc:  denied  { search } for  pid=9176 comm="puppetmasterd" name="mysql" dev=vda1 ino=83250 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir
type=AVC msg=audit(1295026430.574:161288): avc:  denied  { write } for  pid=9176 comm="puppetmasterd" name="mysql.sock" dev=vda1 ino=82004 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:mysqld_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1295026430.574:161288): avc:  denied  { connectto } for  pid=9176 comm="puppetmasterd" path="/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
Comment 1 Daniel Walsh 2011-01-14 18:13:25 UTC 
What other backends are available? Postgresq?
Comment 2 Ruben Kerkhof 2011-01-14 19:02:59 UTC 
According to http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration sqlite, mysql and postgresql.
Comment 3 Daniel Walsh 2011-01-14 19:47:45 UTC 
Ok, one last question, should this be the default or should we add a boolean to allow puppetmasterd to connect to a database?  And I think the easiest way to answer this would be how common would a user be hit with this problem.
Comment 4 Ruben Kerkhof 2011-01-14 20:00:21 UTC 
As soon as you're using puppets 'exported resources' you have to use the storedconfig option and use a database to store those resources in (or a message queue, but that's a different story).

It's hard to say, but my guess is most people using puppet won't need this.

As soon as they start using storedconfigs they have to configure stuff anyhow, so turning a boolean on won't be a problem.
Comment 5 Daniel Walsh 2011-01-14 20:31:47 UTC 
Miroslav add puppetmaster_uses_db and allow it to talk to postgresql and mysql.
Comment 6 Miroslav Grepl 2011-01-17 09:30:57 UTC 
Fixed in selinux-policy-3.7.19-82.fc13
Comment 7 Ruben Kerkhof 2011-02-22 22:58:05 UTC 
I justed tested this, we're almost there.
It looks like the ruby mysql driver is trying to read some character set information:

type=AVC msg=audit(1298414625.077:639): avc:  denied  { getattr } for  pid=12322 comm="puppetmasterd" path="/usr/share/mysql/charsets/Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1298414625.077:639): arch=c000003e syscall=4 success=yes exit=0 a0=7fff0dc48a80 a1=7fff0dc489c0 a2=7fff0dc489c0 a3=7fff0dc48710 items=1 ppid=1 pid=12322 auid=10001 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=74 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=CWD msg=audit(1298414625.077:639):  cwd="/"
type=PATH msg=audit(1298414625.077:639): item=0 name="/usr/share/mysql/charsets/Index.xml" inode=106619 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0
type=AVC msg=audit(1298414625.078:640): avc:  denied  { read } for  pid=12322 comm="puppetmasterd" name="Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1298414625.078:640): avc:  denied  { open } for  pid=12322 comm="puppetmasterd" name="Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1298414625.078:640): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff0dc48a80 a1=0 a2=1b0 a3=7fff0dc48720 items=1 ppid=1 pid=12322 auid=10001 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=74 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
Comment 8 Miroslav Grepl 2011-02-23 11:36:54 UTC 
ok, I am adding

files_read_usr_files(puppetmaster_t)
Comment 9 Fedora Update System 2011-03-16 17:53:18 UTC 
selinux-policy-3.7.19-101.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-101.fc13
Comment 10 Fedora Update System 2011-05-02 22:31:05 UTC 
selinux-policy-3.7.19-101.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.