This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 491532 - puppet, files and selinux
puppet, files and selinux
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: puppet (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-22 14:48 EDT by Edouard Bourguignon
Modified: 2009-03-24 00:48 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-24 00:48:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Edouard Bourguignon 2009-03-22 14:48:32 EDT
Description of problem:

I've got a strange problem on some hosts. Puppet clients connect to the puppet master server, grab their catalog, but don't even try to download their files from puppet fileserver (source or template). 

Log on the puppet master (client SELINUX=enforcing or permissive):
--------------------------------------------------------------------------------
Mar 22 19:21:40 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:21:40 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:20:40 +0100 2009
Mar 22 19:21:40 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module network
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module smarthost
Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module yum-updatesd
Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module munin-node
Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func
Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func
Mar 22 19:21:42 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 1.35 seconds
--------------------------------------------------------------------------------

Now, if I set SeLinux to disabled on those clients, it works perfectly.

Log on the puppet master (client SELINUX=disabled):
--------------------------------------------------------------------------------
Mar 22 19:26:36 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:26:36 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:25:36 +0100 2009
Mar 22 19:26:36 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:26:37 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.60 seconds
Mar 22 19:26:39 master puppetmasterd[25060]: (mount[func]) Sending /func/minion.conf to taygeta.in.my.domain.net
Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/hosts(77e5627ac7ecb8272537b0c21df17509) from taygeta.in.my.domain.net
Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/munin/munin-node.conf(d3c68bb49ead97ed80dc09ff93dd7677) from taygeta.in.my.domain.net
Mar 22 19:27:49 master puppetmasterd[25060]: (mount[smarthost]) Sending /smarthost/aliases to taygeta.in.my.domain.net
Mar 22 19:28:20 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/yum/yum-updatesd.conf(6561f7f46ec1c661100bdba640329d50) from taygeta.in.my.domain.net
Mar 22 19:28:21 master puppetmasterd[25060]: (mount[func]) Sending /func/func_minion.conf to taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:28:15 +0100 2009
Mar 22 19:29:15 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net
Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default
Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1
Mar 22 19:29:16 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.61 seconds
--------------------------------------------------------------------------------

It's strange because there's nothing in the audit.log saying that selinux has denied any action to puppetd. Moreover, if I try:
# puppetd --test --server master
It works!

Version-Release number of selected component (if applicable):
puppet-0.24.7-4.fc10.noarch
puppet-0.24.7-5.fc11.noarch

How reproducible:
seems static

Steps to Reproduce:
1. boot with SELINUX=enforcing or SELINUX=permissive
2. make some changes in files provided by the puppet master
3. start puppet on the client
4. reboot with SELINUX=disabled
5. start puppet on the client
  
Actual results:
Files are not downloaded or written on the client

Expected results:
Files should be downloaded and written on the client
Comment 1 Todd Zullinger 2009-03-22 16:43:23 EDT
This sounds similar to the problem from upstream ticket 1963¹.  This is fixed in the current 0.24.8rc1 (which is slated to be released as 0.24.8 in the next day or so).  If you can, you might want to test the packages I made for 0.24.8rc1 and see if the problem persists.  Those packages are at:

    http://tmz.fedorapeople.org/repo/puppet/

¹ http://projects.reductivelabs.com/issues/show/1963
Comment 2 Edouard Bourguignon 2009-03-23 03:46:01 EDT
I have upgraded my clients to puppet-0.24.8-0.1.rc1.fc10.noarch.rpm and it works perfectly with selinux. Thank you!
Comment 3 Todd Zullinger 2009-03-24 00:48:23 EDT
Thanks for testing and confirming this fixed the problem.  Puppet 0.24.8 was released yesterday and has been built for rawhide¹.  It might take a few days or so for it to show up due to the F11 Beta freeze.

¹ https://koji.fedoraproject.org/koji/buildinfo?buildID=95192

Note You need to log in before you can comment on or make changes to this bug.