Summary: This happened when I run "service puppetmaster start". SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/useradd. Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:useradd_exec_t:s0 Target Objects /usr/sbin/useradd [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host (removed) Source RPM Packages ruby-1.8.6.399-1.fc13 Target RPM Packages shadow-utils-4.1.4.2-5.fc13 Policy RPM selinux-policy-3.7.19-15.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.x86_64 #1 SMP Thu May 13 05:16:23 UTC 2010 x86_64 x86_64 Alert Count 8 First Seen Thu 27 May 2010 12:39:07 AM EEST Last Seen Thu 27 May 2010 12:39:07 AM EEST Local ID 7b78a6d3-b614-4aa0-badb-448d981ca882 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274909947.709:43): avc: denied { getattr } for pid=5626 comm="puppetmasterd" path="/usr/sbin/useradd" dev=dm-0 ino=306764 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274909947.709:43): arch=c000003e syscall=4 success=no exit=-13 a0=2d25e90 a1=7fff837a8d40 a2=7fff837a8d40 a3=81 items=0 ppid=5625 pid=5626 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) Hash String generated from catchall,puppetmasterd,puppetmaster_t,useradd_exec_t,file,getattr audit2allow suggests: #============= puppetmaster_t ============== allow puppetmaster_t useradd_exec_t:file getattr;
I'm using puppet-server-0.25.4-1.fc13.noarch.rpm.
It looks like there are changes for puppet-server. Can you execute # semanage permissive -a puppetmaster_t Then restart puppetmaster service and use puppet and see which other avc's are generated.
I removed everything from /var/lib/puppet/ and put only "node default {}" into /etc/puppet/manifests/site.pp. Then I run these commands: [root@hermes ~]# service puppetmaster start Starting puppetmaster: [ OK ] [root@hermes ~]# service puppet start Starting puppet: [ OK ] [root@hermes ~]# puppetca --list [root@hermes ~]# service puppet restart Stopping puppet: [ OK ] Starting puppet: [ OK ] [root@hermes ~]# service puppetmaster stop Stopping puppetmaster: [ OK ] [root@hermes ~]# The following AVCs were generated: ---- time->Mon Jun 28 21:31:04 2010 type=SYSCALL msg=audit(1277749864.928:400): arch=c000003e syscall=2 success=yes exit=6 a0=f5e4d0 a1=0 a2=1b6 a3=0 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749864.928:400): avc: denied { open } for pid=24277 comm="puppetmasterd" name="file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file type=AVC msg=audit(1277749864.928:400): avc: denied { read } for pid=24277 comm="puppetmasterd" name="file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file ---- time->Mon Jun 28 21:31:04 2010 type=SYSCALL msg=audit(1277749864.931:401): arch=c000003e syscall=5 success=yes exit=0 a0=6 a1=7fffe760c590 a2=7fffe760c590 a3=7fffe760c290 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749864.931:401): avc: denied { getattr } for pid=24277 comm="puppetmasterd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=dm-0 ino=134810 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file ---- time->Mon Jun 28 21:31:05 2010 type=SYSCALL msg=audit(1277749865.130:402): arch=c000003e syscall=2 success=yes exit=6 a0=7fffe760d610 a1=2 a2=7fffe760d620 a3=fffffff8 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749865.130:402): avc: denied { read write } for pid=24277 comm="puppetmasterd" name="context" dev=selinuxfs ino=5 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file ---- time->Mon Jun 28 21:31:05 2010 type=SYSCALL msg=audit(1277749865.130:403): arch=c000003e syscall=1 success=yes exit=34 a0=6 a1=14b1c80 a2=22 a3=7fffe760d390 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749865.130:403): avc: denied { check_context } for pid=24277 comm="puppetmasterd" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security ---- time->Mon Jun 28 21:31:05 2010 type=SYSCALL msg=audit(1277749865.619:404): arch=c000003e syscall=189 success=yes exit=0 a0=e60d90 a1=3862415689 a2=24c45d0 a3=26 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749865.619:404): avc: denied { relabelto } for pid=24277 comm="puppetmasterd" name="state" dev=dm-2 ino=2767 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=AVC msg=audit(1277749865.619:404): avc: denied { relabelfrom } for pid=24277 comm="puppetmasterd" name="state" dev=dm-2 ino=2767 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_var_lib_t:s0 tclass=dir ---- time->Mon Jun 28 21:31:05 2010 type=SYSCALL msg=audit(1277749865.735:405): arch=c000003e syscall=189 success=yes exit=0 a0=2171a60 a1=3862415689 a2=b3b360 a3=22 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749865.735:405): avc: denied { relabelto } for pid=24277 comm="puppetmasterd" name="masterhttp.log" dev=dm-2 ino=10824 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file type=AVC msg=audit(1277749865.735:405): avc: denied { relabelfrom } for pid=24277 comm="puppetmasterd" name="masterhttp.log" dev=dm-2 ino=10824 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:puppet_log_t:s0 tclass=file ---- time->Mon Jun 28 21:31:06 2010 type=SYSCALL msg=audit(1277749866.066:406): arch=c000003e syscall=2 success=yes exit=6 a0=3860941f42 a1=0 a2=7 a3=319827b400 items=0 ppid=24276 pid=24277 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=52 sgid=0 fsgid=52 tty=pts3 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1277749866.066:406): avc: denied { read } for pid=24277 comm="puppetmasterd" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file
I'm afraid is seems much worse for the whole ruby, tried to run mongrel_cluster for application located in /var/www and created with default context?? that is a mess! mess!! and even permissive mode does not help?? just a bit of messages log: lert -l d6afe031-ad22-4b37-9314-2a2bfc427c72 Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l cc5ea173-852c-4e3f-8cdc-37fe7a84d750 Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 70ae75e4-836a-4dda-968e-dd791af19eab Jul 22 13:16:11 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l d0e31bb5-4bd8-4eee-8c91-5ad9585dc81a Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 1. For complete SELinux messages. run sealert -l a93cfe11-dbdc-4778-8cce-62017655facc Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l b87201f5-ff16-4e72-9495-7c69e42c6722 Jul 22 13:16:12 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80 Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80 Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files 2. For complete SELinux messages. run sealert -l c3831940-fd01-4c4a-a079-f16911ca6c80 Jul 22 13:16:13 develop setroubleshoot: SELinux is preventing /bin/ps "sys_ptrace" access . For complete SELinux messages. run sealert -l 7f5782c0-885a-45e0-af16-dd0292346d1e Jul 22 13:16:14 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l be1496ee-a1da-4ec9-a368-a1e40a5d413f Jul 22 13:16:14 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5 Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5 Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025R. For complete SELinux messages. run sealert -l 86989483-d938-4e9c-be05-1cb58548f3a5 Jul 22 13:16:15 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l 0eefed5c-19b7-496a-ab47-9ce0d855dbba Jul 22 13:16:16 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511 Jul 22 13:16:16 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511 Jul 22 13:16:17 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files #025T. For complete SELinux messages. run sealert -l f2aef7c0-2aeb-407b-9420-8cd7c1729511 Jul 22 13:16:17 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files stat. For complete SELinux messages. run sealert -l 137aa39f-6af8-4775-82b9-6fe72f9081fd Jul 22 13:16:18 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files stat. For complete SELinux messages. run sealert -l 137aa39f-6af8-4775-82b9-6fe72f9081fd Jul 22 13:16:18 develop setroubleshoot: SELinux is preventing /bin/ps from using potentially mislabeled files /proc/<pid>. For complete SELinux messages. run sealert -l 4fa271b0-ed07-4638-b026-1bd9193c1910 Jul 22 13:16:18 develop setroubleshoot: [avc.ERROR] Plugin Exception httpd_bad_labels #012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/httpd_bad_labels.py", line 63, in analyze#012 fix_description, self.fix_cmd)#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/Plugin.py", line 100, in report#012 safe_substitute(avc.template_substitutions)#012 File "/usr/lib64/python2.6/string.py", line 205, in safe_substitute#012 return self.pattern.sub(convert, self.template)#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x95 in position 1: unexpected code byte Jul 22 13:16:18 develop setroubleshoot: [avc.ERROR] Plugin Exception catchall #012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 148, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/catchall.py", line 58, in analyze#012 summary = self.summary + " on " + avc.tpath + "."#012UnicodeDecodeError: 'utf8' codec can't decode byte 0x95 in position 1: unexpected code byte
I don't think SELinux is blocking anything in permissive mode. Could you mail us your audit.log (compressed) dwalsh. I would like to see what is blowing up setroubleshoot. Miroslav it looks like puppetmaster needs allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto }; allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto }; kernel_read_kernel_sysctls(puppetmaster_t) selinux_validate_context(puppetmaster_t) seutil_read_file_contexts(puppetmaster_t)
Created attachment 433732 [details] audit.log
should not be but is, that log's snippet comes while permissive
SELinux continues to output errors in permissive mode but the kernel does not block access. So if anything is actually being blocked it is probably not an SELinux issue.
THe audit.log you attached seems to be corrupted.
Created attachment 433761 [details] audit.log again
The only thing I see in that log is that you should turn on the allow_postfix_local_write_mail_spool boolean setsebool -P allow_postfix_local_write_mail_spool 1 mount command somehow ran glusterfs which requires setrlimit, Miroslav can you add this. Which we should also add. The puppetmaster stuff must have roled into a backup audit.log.
Fixed in selinux-policy-3.7.19-40.fc13.noarch
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
ok, very box I fiddle around with has something mislabelled, I did ./autorelable but original problem remains, never mind the glusterfs it is mongrel_cluster that fails, regardless of what file context I label a rails application whole tree with, recursively, for instance: httpd_unconfined_script_exec_t (and with setsebool httpd_enable_cgi=1) this is how mongrel_cluster start/stop.. etc fails: Summary: SELinux is preventing ps from using potentially mislabeled files /proc/<pid>. Detailed Description: SELinux has denied the ps access to potentially mislabeled files /proc/<pid>. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, root_t, mysqld_var_run_t, httpd_sys_content_t, tmp_t, usr_t, var_t, httpd_var_lib_t, httpd_var_run_t, httpd_squid_rw_content_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, mysqld_db_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, var_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, mailman_archive_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, kernel_t, var_lock_t, sysctl_t, device_t, bin_t, cert_t, mailman_data_t, httpd_cobbler_content_t, httpd_t, logfile, lib_t, httpd_munin_script_exec_t, mnt_t, etc_t, httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, proc_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, usr_t, var_t, httpd_nagios_script_exec_t, rpm_script_tmp_t, httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, security_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, cluster_conf_t, httpd_w3c_validator_rw_content_t, winbind_var_run_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, autofs_t, fonts_cache_t, device_t, devpts_t, locale_t, httpd_log_t, etc_t, fonts_t, rpm_tmp_t, var_run_t, proc_t, sysfs_t, tmpfs_t, krb5_conf_t, httpd_awstats_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t, httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t, httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, httpd_git_script_exec_t, smokeping_var_lib_t, var_lib_t, var_run_t, httpd_cvs_script_exec_t, rpm_log_t, configfile, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t, samba_var_t, abrt_var_run_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, setrans_var_run_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t, sysctl_kernel_t, sysctl_crypto_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /proc/<pid> so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/proc/<pid>'. where FILE_TYPE is one of the following: root_t, mysqld_var_run_t, httpd_sys_content_t, tmp_t, usr_t, var_t, httpd_var_lib_t, httpd_var_run_t, httpd_squid_rw_content_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, mysqld_db_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, var_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, mailman_archive_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, kernel_t, var_lock_t, sysctl_t, device_t, bin_t, cert_t, mailman_data_t, httpd_cobbler_content_t, httpd_t, logfile, lib_t, httpd_munin_script_exec_t, mnt_t, etc_t, httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, proc_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, usr_t, var_t, httpd_nagios_script_exec_t, rpm_script_tmp_t, httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, security_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, cluster_conf_t, httpd_w3c_validator_rw_content_t, winbind_var_run_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, autofs_t, fonts_cache_t, device_t, devpts_t, locale_t, httpd_log_t, etc_t, fonts_t, rpm_tmp_t, var_run_t, proc_t, sysfs_t, tmpfs_t, krb5_conf_t, httpd_awstats_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t, httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t, httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, httpd_git_script_exec_t, smokeping_var_lib_t, var_lib_t, var_run_t, httpd_cvs_script_exec_t, rpm_log_t, configfile, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t, samba_var_t, abrt_var_run_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, setrans_var_run_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t, sysctl_kernel_t, sysctl_crypto_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, sysctl_t, abrt_t, bin_t, lib_t, mnt_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:system_r:dhcpc_t:s0 Target Objects /proc/<pid> [ dir ] Source ps Source Path ps Port <Unknown> Host develop.biotechnology Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name develop.biotechnology Platform Linux develop.biotechnology 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu Jul 29 11:11:53 2010 Last Seen Thu Jul 29 11:11:53 2010 Local ID c155452d-6e42-4281-addb-12cb0c500814 Line Numbers Raw Audit Messages node=develop.biotechnology type=AVC msg=audit(1280398313.745:35411): avc: denied { getattr } for pid=14544 comm="ps" path="/proc/1446" dev=proc ino=14420 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:dhcpc_t:s0 tclass=dir I can render custom module, fine, only checking here with you guys whether I am missing some booleans or file contexts? regards
ok, it is a file context, at least for me here, just needed to follow the logs to figure out the correct one, and inasmuch as mongrel_cluster starts now almost silently(selinux), when wanted to stop, then selinux produces these series of denials about /bin/ps Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects /proc/<pid> [ dir ] Source ps Source Path /bin/ps Port <Unknown> Host develop.biotechnology Source RPM Packages procps-3.2.8-7.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 .. and yet mongrel_cluster succeeds stopping, only plenty of denials logged and: develop audispd: queue is full - dropping event
and would it the difference between what's in logs: httpd_sys_content_rw_t and when ls'ed -Z httpd_sys_rw_content_t matter? it's only that is see context httpd_sys_rw_content_t and yet selinux suggests to relabel it with httpd_sys_content_rw_t cheers
httpd_sys_content_rw_t == httpd_sys_rw_content_t. I will change the plugin to suggest the correct thing. The problem with the reading of /proc can be solved by adding a custom policy module or cat > myhttpd.te << _EOF policy_module(myhttp, 1.0) gen_require(` type httpd_t; ') domain_read_all_domains_state(httpd_t) _EOF # make -f /usr/share/selinux/devel/Makefile # semodule -i myhttp.pp
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
I'm still having this issue (with puppet-server-0.25.5-1.fc13.noarch.rpm): Additional Information: Source Context unconfined_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:useradd_exec_t:s0 Target Objects /usr/sbin/useradd [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host (removed) Source RPM Packages ruby-1.8.6.399-6.fc13 Target RPM Packages shadow-utils-4.1.4.2-8.fc13 Policy RPM selinux-policy-3.7.19-49.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.8-149.fc13.x86_64 #1 SMP Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64 Alert Count 12 First Seen Fri 27 Aug 2010 05:40:06 PM EEST Last Seen Fri 27 Aug 2010 05:40:06 PM EEST Local ID d8299ac7-7e18-41c0-a9f5-46318dfe65fb Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1282920006.922:38817): avc: denied { getattr } for pid=17260 comm="puppetmasterd" path="/usr/sbin/useradd" dev=dm-0 ino=273182 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1282920006.922:38817): arch=c000003e syscall=4 success=no exit=-13 a0=2179c20 a1=7fff3f5b4b30 a2=7fff3f5b4b30 a3=81 items=0 ppid=1 pid=17260 auid=500 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) Additional Information: Source Context unconfined_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:useradd_exec_t:s0 Target Objects /usr/sbin/useradd [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host (removed) Source RPM Packages ruby-1.8.6.399-6.fc13 Target RPM Packages shadow-utils-4.1.4.2-8.fc13 Policy RPM selinux-policy-3.7.19-49.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.8-149.fc13.x86_64 #1 SMP Tue Aug 17 22:53:15 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Fri 27 Aug 2010 05:48:51 PM EEST Last Seen Fri 27 Aug 2010 05:48:51 PM EEST Local ID 34ea6b6e-674c-463b-898b-88c006890bc0 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1282920531.585:38820): avc: denied { execute } for pid=17877 comm="puppetmasterd" name="useradd" dev=dm-0 ino=273182 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1282920531.585:38820): arch=c000003e syscall=21 success=yes exit=0 a0=14eda60 a1=1 a2=0 a3=81 items=0 ppid=17876 pid=17877 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
dgrift has suggested me to try the following policy and it seems to work fine for me: policy_module(mypuppet, 1.0.0) gen_require(` type puppetmaster_t; ') usermanage_domtrans_useradd(puppetmaster_t)
Seems good to me. Miroslav please add optional_policy(` usermanage_domtrans_groupadd(puppetmaster_t) usermanage_domtrans_useradd(puppetmaster_t) ')
Fixed in selinux-policy-3.7.19-52.fc13
selinux-policy-3.7.19-54.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-54.fc13
selinux-policy-3.7.19-54.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
I'm still having this problem with selinux-policy-targeted-3.9.7-7.fc14.noarch.rpm and puppet-server-0.25.5-1.fc14.noarch.rpm.
Here's what sealert shows me: Summary: SELinux is preventing /usr/bin/ruby "getattr" access on /usr/sbin/usermod. Detailed Description: SELinux denied access requested by puppetmasterd. It is not expected that this access is required by puppetmasterd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:puppetmaster_t:s0 Target Context system_u:object_r:useradd_exec_t:s0 Target Objects /usr/sbin/usermod [ file ] Source puppetmasterd Source Path /usr/bin/ruby Port <Unknown> Host hermes.lizeanunet.tld Source RPM Packages ruby-1.8.7.302-1.fc14 Target RPM Packages shadow-utils-4.1.4.2-8.fc14 Policy RPM selinux-policy-3.9.7-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name hermes.lizeanunet.tld Platform Linux hermes.lizeanunet.tld 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 24 First Seen Tue 09 Nov 2010 10:30:01 PM EET Last Seen Tue 09 Nov 2010 10:42:25 PM EET Local ID c822bd9a-ab8a-4ed6-9c8c-376eba2514a5 Line Numbers Raw Audit Messages node=hermes.lizeanunet.tld type=AVC msg=audit(1289335345.138:509): avc: denied { getattr } for pid=26483 comm="puppetmasterd" path="/usr/sbin/usermod" dev=dm-0 ino=264090 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:useradd_exec_t:s0 tclass=file node=hermes.lizeanunet.tld type=SYSCALL msg=audit(1289335345.138:509): arch=c000003e syscall=4 success=no exit=-13 a0=1cf30f0 a1=7fff9833aeb0 a2=7fff9833aeb0 a3=2 items=0 ppid=26462 pid=26483 auid=500 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=4 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
Oops it does not look like the fix made it into F14 and Rawhide.
Fixed in selinux-policy-3.9.7-10.fc14
selinux-policy-3.9.7-10.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.