Bug 510432 - [PATCH] Selinux compatibilty: change Util::Execute to use pipes instead of tmp files for capturing output
[PATCH] Selinux compatibilty: change Util::Execute to use pipes instead of tm...
Product: Fedora EPEL
Classification: Fedora
Component: puppet (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jeroen van Meeuwen
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-07-09 05:04 EDT by Nicolas MONNET
Modified: 2013-03-18 11:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-18 11:07:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch util.rb to use pipes instead of tmp files (3.44 KB, patch)
2009-07-09 05:04 EDT, Nicolas MONNET
no flags Details | Diff

  None (edit)
Description Nicolas MONNET 2009-07-09 05:04:56 EDT
Created attachment 351028 [details]
patch util.rb to use pipes instead of tmp files

Puppet generates lots of SELinux alerts, and fails in enforcing mode, because it hands out FDs of files in /tmp directly to confined executables. 

Example, when handing out a config file to rsyslog:

2009-05-05T12:49:47 (12:49) kern.notice<5> kernel: audit(1241527787.722:458224): avc:  denied  { read write } for  pid=18041 comm="rsyslogd" path="/tmp/puppet.27941.0" dev=dm-3 ino=98313 scontext=root:system_r:syslogd_t:s0 tcontext=root:object_r:initrc_tmp_t:s0 tclass=file

I adapted the patch from the linked upstream ticket for 0.24.8. It removes the need for tmp files, and instead pipes directly into the target programs. I'm using it in production and so far it's stable.

I believe it should be included in the EPEL distrib of puppet, since without this it's pretty much impossible to puppet on RHEL in Enforcing mode.
Comment 1 Todd Zullinger 2009-07-09 09:39:05 EDT
I think the upstream ticket makes it clear that upstream isn't sure that this patch fixes more problems than it solves.  I'm not sure it's in anyone's best interest to deviate from upstream in this way.

We have another open bug for puppet leaking file descriptors (#460039).  With the next puppet update we'll have the permissions of /var/run/puppet fixed and then we can move ahead with using that dir for output files rather than /tmp.  That should allow SELinux policy to allow confined domains to write the these temporary puppet files.
Comment 2 Ricky Zhou 2009-12-21 15:27:54 EST
For what it's worth, there is also an upstream ticket on this with a patch, although I'm not familiar with upstream's history with this issue: http://projects.reductivelabs.com/issues/2731

I had no idea this bug was so widely reported and that patches already existed :-)

This is essentially the same bug as #460039, #546550, and #539596.
Comment 3 Peter Robinson 2011-11-29 12:17:01 EST
Still an issue. Now moved to bug http://projects.reductivelabs.com/issues/3033
Comment 4 Todd Zullinger 2013-03-18 11:07:51 EDT
I'm closing this out, as it's something we'll pick up if/when it is fixed upstream.

Note You need to log in before you can comment on or make changes to this bug.