Bug 507499 - Puppet Appears To Cause ifconfig_t errors in Selinux When Host Runs Enforcing Mode
Puppet Appears To Cause ifconfig_t errors in Selinux When Host Runs Enforcing...
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: puppet (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-22 21:28 EDT by Bob Cochran
Modified: 2009-06-24 10:29 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-24 10:29:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Text of sealert related to this bug (2.52 KB, text/plain)
2009-06-22 21:29 EDT, Bob Cochran
no flags Details

  None (edit)
Description Bob Cochran 2009-06-22 21:28:00 EDT
Description of problem:

Each time the puppetd process (from package 'puppet') does its half-hourly checkin with the puppetmaster server, a large number of ifconfig_t denials are experienced when the host machine is running SELinux full enforcing mode. It generates only two such messages if the host machine is running in permissive mode. 

Sample messages:

Jun 22 20:36:49 deafeng3 puppetmasterd[2317]: Compiled catalog for deafeng7.signtype.info in 0.00 seconds
Jun 22 20:43:36 deafeng3 puppetmasterd[2317]: Compiled catalog for deafeng3.signtype.info in 0.00 seconds
Jun 22 20:43:36 deafeng3 puppetd[2594]: Starting catalog run
Jun 22 20:43:36 deafeng3 puppetd[2594]: Finished catalog run in 0.02 seconds
Jun 22 20:43:37 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:37 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:38 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:39 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:40 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:41 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:42 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:43 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:44 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:45 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 20:43:45 deafeng3 setroubleshoot: SELinux is preventing ifconfig (ifconfig_t) "read" security_t. For complete SELinux messages. run sealert -l 4844399e-6861-497f-b883-5d9cbe05fa79
Jun 22 21:04:10 deafeng3 kernel: CE: hpet increasing min_delta_ns to 75936 nsec



Version-Release number of selected component (if applicable):

puppet-0.24.8-1.fc11.noarch

How reproducible:

Always happens, but possibly not on each puppet checkin. Numerous denials in full enforcing mode.

Steps to Reproduce:
1. Start puppet client on a machine which runs SELinux in full enforcing mode.
2. Allow client to attempt to connect to puppetmaster server.
3. 
  
Actual results:

AVC denials will be produced as shown above.

Expected results:

Puppet client should run without avc denials regardless of SELinux mode.

Additional info:

This problem appears to be associated with puppetd, but I notice that avc messages don't show up after some puppet checkins, but it does seem to follow other checkins. I also noticed this same type of error after I stopped the puppet server while trying to fix DNS and firewall problems of my own making that were preventing puppet from connecting to the puppetmaster.

An attachment containing the sealert output that the AVC messages suggest is supplied.

I am cc'ing Dan Waslsh since this would seem to involve him. And I could be wrong about which component is producing the denials.
Comment 1 Bob Cochran 2009-06-22 21:29:05 EDT
Created attachment 349023 [details]
Text of sealert related to this bug
Comment 2 Daniel Walsh 2009-06-23 16:46:39 EDT
You can add these rules now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-57.fc11
Comment 3 Bob Cochran 2009-06-23 22:12:53 EDT
Dan, thanks a lot. Here is what I did on two different machines (my puppetmaster server and a second Fedora 11, i386 machine acting mainly as a puppet client right now:)

[root@deafeng3 ~]# grep avc /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@deafeng3 ~]# semodule -i mypol.pp
[root@deafeng3 ~]# 


I believe these messages in /var/log/messages might be related to the above:

Jun 23 22:04:01 deafeng3 dbus: Can't send to audit system: USER_AVC avc:  received policyload notice (seqno=2)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)
Jun 23 22:04:01 deafeng3 dbus: avc:  received policyload notice (seqno=2)
Jun 23 22:04:01 deafeng3 dbus: Reloaded configuration

The above is for my puppetmaster server machine. On the client machine, I got the same messages, but the 'recieved policyload notice' message appeared first followed by the 'Can't send to audit system' message followed by the 'Reloaded configuration' message. 

I'll keep an eye out for the avc denial messages and report any that show up. Hopefully I can return both machines to enforcing mode.

Bob
Comment 4 Jeroen van Meeuwen 2009-06-24 10:28:55 EDT
I believe this is resolved then? If not, please reopen. Thanks!
Comment 5 Jeroen van Meeuwen 2009-06-24 10:29:10 EDT
I believe this is resolved then? If not, please reopen. Thanks!

Note You need to log in before you can comment on or make changes to this bug.