1364124 – Invalid selinux context errors in journalctl for some puppet objects

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1364124 - Invalid selinux context errors in journalctl for some puppet objects

Summary: Invalid selinux context errors in journalctl for some puppet objects

Keywords:
Status:	CLOSED DUPLICATE of bug 1202924
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Provisioning
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-04 14:04 UTC by James Olin Oden
Modified:	2017-05-12 08:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-05-12 08:09:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
journalctl log (24.16 KB, text/plain) 2016-08-04 14:04 UTC, James Olin Oden	no flags	Details
View All

Description James Olin Oden 2016-08-04 14:04:08 UTC

Created attachment 1187522 [details]
journalctl log

Description of problem:
I was looking in journalctl sometime after fusor-installer had ran and noted these errors:

Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
***
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_etc_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_log_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_run_t:s0
Aug 02 14:14:02 b.b.b puppet-master[2710]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_run_t:s0

There were more.   I'll attach the entire journalctl.

Version-Release number of selected component (if applicable):
QCI-1.0-RHEL-7-20160801.t.2

How reproducible:
I don't if it is or isn't.  I'm not sure what triggered it.

Steps to Reproduce:
1.  Install QCI
2.  Configure with fusor-installer
3.  Check journalctl.

Actual results:
These selinux file context errors.

Expected results:
No file context errors.

Comment 1 James Olin Oden 2016-08-04 18:56:13 UTC

I was not able to recreate this just by re-installing and running fusor-installer.   I checked before I ran it too.   There is this error in there after I ran fusor-installer:

Aug 04 14:42:32 b.b.b puppet-agent[16302]: Starting Puppet client version 3.8.6
Aug 04 14:42:32 b.b.b puppet-agent[16415]: Unable to fetch my node definition, but the agent run will continue:
Aug 04 14:42:32 b.b.b puppet-agent[16415]: Connection refused - connect(2)
Aug 04 14:42:32 b.b.b puppet-agent[16415]: (/File[/var/lib/puppet/facts.d]) Failed to generate additional resources using 'eval_generate': Connection refused - connect(2)
Aug 04 14:42:32 b.b.b puppet-agent[16415]: (/File[/var/lib/puppet/facts.d]) Could not evaluate: Could not retrieve file metadata for puppet://b.b.b/pluginfacts: Connection refused - connect(2)
Aug 04 14:42:32 b.b.b puppet-agent[16415]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate': Connection refused - connect(2)
Aug 04 14:42:32 b.b.b puppet-agent[16415]: (/File[/var/lib/puppet/lib]) Could not evaluate: Could not retrieve file metadata for puppet://b.b.b/plugins: Connection refused - connect(2)
Aug 04 14:42:35 b.b.b puppet-agent[16415]: Could not retrieve catalog from remote server: Connection refused - connect(2)
Aug 04 14:42:35 b.b.b puppet-agent[16415]: Using cached catalog
Aug 04 14:42:35 b.b.b puppet-agent[16415]: Could not retrieve catalog; skipping run
Aug 04 14:42:35 b.b.b puppet-agent[16415]: Could not send report: Connection refused - connect(2)
Aug 04 14:42:35 b.b.b puppet[16302]: /usr/share/ruby/vendor_ruby/puppet/agent.rb:87:in `exit': no implicit conversion from nil to integer (TypeError)
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:87:in `block in run_in_fork'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:84:in `fork'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:84:in `run_in_fork'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:43:in `block in run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:179:in `call'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:41:in `run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:175:in `block in run_event_loop'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/job.rb:49:in `call'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/job.rb:49:in `run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:39:in `block in run_ready'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:34:in `each'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:34:in `run_ready'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:11:in `run_loop'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:198:in `run_event_loop'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:154:in `start'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:383:in `main'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:329:in `run_command'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block (2 levels) in run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `block in run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/application.rb:381:in `run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
Aug 04 14:42:35 b.b.b puppet[16302]: from /usr/bin/puppet:8:in `<main>'

Comment 2 John Matthews 2016-08-10 14:54:36 UTC

James,

I think this is a Satellite issue and not specific to QCI.
Please reassign to Satellite.

Comment 3 James Olin Oden 2016-08-10 15:05:40 UTC

Resetting to be a Satellite bug.

Comment 4 Lukas Zapletal 2017-05-12 08:09:52 UTC

This is dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1202924 where we provided a workaround, which is only for RHEL 7.3+:

# cat > passenger-allow-check-context.cil <<EOF
(typeattributeset cil_gen_require passenger_t)
(typeattributeset cil_gen_require security_t)
(allow passenger_t security_t (file (append getattr ioctl lock open read write)))
(allow passenger_t security_t (security (check_context)))
EOF

# semodule -i passenger-allow-check-context.cil

*** This bug has been marked as a duplicate of bug 1202924 ***

Note You need to log in before you can comment on or make changes to this bug.