Created attachment 351028 [details] patch util.rb to use pipes instead of tmp files Puppet generates lots of SELinux alerts, and fails in enforcing mode, because it hands out FDs of files in /tmp directly to confined executables. Example, when handing out a config file to rsyslog: 2009-05-05T12:49:47 (12:49) kern.notice<5> kernel: audit(1241527787.722:458224): avc: denied { read write } for pid=18041 comm="rsyslogd" path="/tmp/puppet.27941.0" dev=dm-3 ino=98313 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file I adapted the patch from the linked upstream ticket for 0.24.8. It removes the need for tmp files, and instead pipes directly into the target programs. I'm using it in production and so far it's stable. I believe it should be included in the EPEL distrib of puppet, since without this it's pretty much impossible to puppet on RHEL in Enforcing mode.
I think the upstream ticket makes it clear that upstream isn't sure that this patch fixes more problems than it solves. I'm not sure it's in anyone's best interest to deviate from upstream in this way. We have another open bug for puppet leaking file descriptors (#460039). With the next puppet update we'll have the permissions of /var/run/puppet fixed and then we can move ahead with using that dir for output files rather than /tmp. That should allow SELinux policy to allow confined domains to write the these temporary puppet files.
For what it's worth, there is also an upstream ticket on this with a patch, although I'm not familiar with upstream's history with this issue: http://projects.reductivelabs.com/issues/2731 I had no idea this bug was so widely reported and that patches already existed :-) This is essentially the same bug as #460039, #546550, and #539596.
Still an issue. Now moved to bug http://projects.reductivelabs.com/issues/3033
I'm closing this out, as it's something we'll pick up if/when it is fixed upstream.