Bug 680255

Summary: Incorrect SELinux contexts on /var/lib/puppet/ sub-directories
Product: [Fedora] Fedora EPEL Reporter: Scott Merrill <skippy>
Component: puppetAssignee: Jeroen van Meeuwen <vanmeeuwen+fedora>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: el6CC: dwalsh, herrold, k.georgiou, mgrepl, orion, tmz, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-17 21:43:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Merrill 2011-02-24 20:05:03 UTC 
Description of problem:
We migrated an existing Puppet service from a RHEL5 system to a RHEL6 system. Both use EPEL for the Puppet RPMs. According to a post on the Puppet mailing list (http://bit.ly/dJ2ZPM), the only piece of the old server necessary on the new Puppet server is a copy of /var/lib/puppet/ssl/ca. I installed the Puppet RPMs on the new server, and copied over /var/lib/puppet/ssl/ca. My clients can connect to the new Puppet server, and puppetmaster seems to be functioning properly. However, numerous entries are being recorded in the audit log for puppetmasterd:

type=AVC msg=audit(1298577189.194:14815): avc:  denied  { search } for  pid=6979 comm="puppetmasterd" name="pki" dev=dm-0 ino=129841 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.194:14815): arch=c000003e syscall=2 success=no exit=-13 a0=7f508a8d2643 a1=0 a2=1b6 a3=0 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.742:14816): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="lib" dev=dm-0 ino=1510 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.742:14816): arch=c000003e syscall=189 success=no exit=-13 a0=26ede80 a1=7f5089414d59 a2=26f7e30 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.745:14817): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="facts" dev=dm-0 ino=12458 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.745:14817): arch=c000003e syscall=189 success=no exit=-13 a0=2704420 a1=7f5089414d59 a2=270e3c0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.749:14818): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="rrd" dev=dm-0 ino=12461 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.749:14818): arch=c000003e syscall=189 success=no exit=-13 a0=27216a0 a1=7f5089414d59 a2=272b640 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.753:14819): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="yaml" dev=dm-0 ino=12480 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.753:14819): arch=c000003e syscall=189 success=no exit=-13 a0=273e850 a1=7f5089414d59 a2=27487f0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.757:14820): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="reports" dev=dm-0 ino=12481 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.757:14820): arch=c000003e syscall=189 success=no exit=-13 a0=275ba10 a1=7f5089414d59 a2=27659b0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.761:14821): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="ssl" dev=dm-0 ino=12482 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.761:14821): arch=c000003e syscall=189 success=no exit=-13 a0=2774cd0 a1=7f5089414d59 a2=277ec70 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.764:14822): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="certs" dev=dm-0 ino=12483 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.764:14822): arch=c000003e syscall=189 success=no exit=-13 a0=278de80 a1=7f5089414d59 a2=2798aa0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.768:14823): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="private_keys" dev=dm-0 ino=12484 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.768:14823): arch=c000003e syscall=189 success=no exit=-13 a0=27a7fc0 a1=7f5089414d59 a2=27b2be0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.771:14824): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="public_keys" dev=dm-0 ino=12485 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.771:14824): arch=c000003e syscall=189 success=no exit=-13 a0=27c1920 a1=7f5089414d59 a2=27cc540 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.774:14825): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="certificate_requests" dev=dm-0 ino=12486 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.774:14825): arch=c000003e syscall=189 success=no exit=-13 a0=27db270 a1=7f5089414d59 a2=27e5ef0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.777:14826): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="private" dev=dm-0 ino=12487 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.777:14826): arch=c000003e syscall=189 success=no exit=-13 a0=27f5420 a1=7f5089414d59 a2=2800040 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.825:14827): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="bucket" dev=dm-0 ino=12488 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.825:14827): arch=c000003e syscall=189 success=no exit=-13 a0=2537a30 a1=7f5089414d59 a2=ef8e00 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.830:14828): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="state" dev=dm-0 ino=12489 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.830:14828): arch=c000003e syscall=189 success=no exit=-13 a0=b3aba0 a1=7f5089414d59 a2=1293060 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.836:14829): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="masterhttp.log" dev=dm-0 ino=12490 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file
type=SYSCALL msg=audit(1298577189.836:14829): arch=c000003e syscall=189 success=no exit=-13 a0=c86c40 a1=7f5089414d59 a2=26f8060 a3=22 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.873:14830): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="ca" dev=dm-0 ino=12491 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.873:14830): arch=c000003e syscall=189 success=no exit=-13 a0=ffe840 a1=7f5089414d59 a2=d6bf30 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.877:14831): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="requests" dev=dm-0 ino=12492 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.877:14831): arch=c000003e syscall=189 success=no exit=-13 a0=215d690 a1=7f5089414d59 a2=26988e0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.881:14832): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="signed" dev=dm-0 ino=12493 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.881:14832): arch=c000003e syscall=189 success=no exit=-13 a0=25be620 a1=7f5089414d59 a2=2804070 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1298577189.885:14833): avc:  denied  { relabelto } for  pid=6979 comm="puppetmasterd" name="private" dev=dm-0 ino=12494 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1298577189.885:14833): arch=c000003e syscall=189 success=no exit=-13 a0=278f330 a1=7f5089414d59 a2=27a1da0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

/var/lib/puppet has the following context immediately after installing the puppet-server RPM:
system_u:object_r:puppet_var_lib_t:s0

Starting the puppetmaster service for the first time creates a number of directories in /var/lib/puppet with the following context:
unconfined_u:object_r:puppet_var_lib_t:s0

I manually changed contexts thus:
chcon -R -u system_u /var/lib/puppet/ssl/ca
chcon -R -u system_u /var/lib/puppet/yaml
chcon -R -u system_u /var/lib/puppet/reports/
chcon -R -u system_u /var/lib/puppet/reports
chcon -R -u system_u /var/lib/puppet/rrd
chcon -R -u system_u /var/lib/puppet/bucket
chcon -R -u system_u /var/log/puppet/masterhttp.log

This seems to have resolved the problems, and puppetmaster no longer logs any denials in the audit log.

Version-Release number of selected component (if applicable):
puppet-0.25.5-1.el6.noarch
puppet-server-0.25.5-1.el6.noarch

How reproducible:
I created a KVM virtual machine running RHEL6. Subscribed to server-6 and server-optional-6 channels in Red Hat Network, as well as EPEL. Upon installing and launching puppetmasterd, I see the same problems as I saw on my production server.

Steps to Reproduce:
1. yum install puppet-server
2. ls -lZ /var/lib | grep puppet
3. service puppetmaster start
4. ls -lZ /var/lib/puppet
  
Actual results:
drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 bucket
drwxr-xr-x. root   root   unconfined_u:object_r:puppet_var_lib_t:s0 facts
drwxr-xr-x. root   root   unconfined_u:object_r:puppet_var_lib_t:s0 lib
drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 reports
drwxr-xr-x. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 rrd
drwxrwx--x. puppet root   unconfined_u:object_r:puppet_var_lib_t:s0 ssl
drwxr-xr-t. root   root   unconfined_u:object_r:puppet_var_lib_t:s0 state
drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 yaml

Expected results:
I expected the context to be system_u:object_r:puppet_var_lib_t:s0 for each of the directories.

Additional info:
Comment 1 Todd Zullinger 2011-02-24 20:49:15 UTC 
Dan,

Is the best course of action here to update selinux-policy so these directories pick up the proper context?  Or can we create them in the rpm and achieve the same result?  (Having directories which are created on demand get the right context seems like the best move, if possible.  It would keep us from having to create directories that are not strictly needed.)
Comment 2 Daniel Walsh 2011-02-24 21:13:15 UTC 
The user componant of the SELinux context indicates which user created the files.  If they were default labeled they would be system_u.  If you restarted a service as an admin and the service created the directories/files they would get labeled unconfined_u.  For the most part SELinux does not care.

We currently have restorecon ignore the user componant when it looks to see if files are different then the default, unless you run the -F command.

Since you have builtin restorecon into puppetmaster, we need to allow it additional access.


Miroslav puppetmaster needs

domain_obj_id_change_exemption(puppetmaster_t)


in RHEL6, you probably want to back port the full policy from F15.
Comment 3 Orion Poplawski 2012-04-17 21:43:01 UTC 
I think this has been fixed.