Description of problem: We're using the 'storedconfigs' option of puppet to store facts in a mysql database. When starting puppetmaster, this triggers the following AVCs: type=AVC msg=audit(1295026430.574:161288): avc: denied { search } for pid=9176 comm="puppetmasterd" name="mysql" dev=vda1 ino=83250 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir type=AVC msg=audit(1295026430.574:161288): avc: denied { write } for pid=9176 comm="puppetmasterd" name="mysql.sock" dev=vda1 ino=82004 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:mysqld_var_run_t:s0 tclass=sock_file type=AVC msg=audit(1295026430.574:161288): avc: denied { connectto } for pid=9176 comm="puppetmasterd" path="/var/lib/mysql/mysql.sock" scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
What other backends are available? Postgresq?
According to http://projects.puppetlabs.com/projects/1/wiki/Using_Stored_Configuration sqlite, mysql and postgresql.
Ok, one last question, should this be the default or should we add a boolean to allow puppetmasterd to connect to a database? And I think the easiest way to answer this would be how common would a user be hit with this problem.
As soon as you're using puppets 'exported resources' you have to use the storedconfig option and use a database to store those resources in (or a message queue, but that's a different story). It's hard to say, but my guess is most people using puppet won't need this. As soon as they start using storedconfigs they have to configure stuff anyhow, so turning a boolean on won't be a problem.
Miroslav add puppetmaster_uses_db and allow it to talk to postgresql and mysql.
Fixed in selinux-policy-3.7.19-82.fc13
I justed tested this, we're almost there. It looks like the ruby mysql driver is trying to read some character set information: type=AVC msg=audit(1298414625.077:639): avc: denied { getattr } for pid=12322 comm="puppetmasterd" path="/usr/share/mysql/charsets/Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1298414625.077:639): arch=c000003e syscall=4 success=yes exit=0 a0=7fff0dc48a80 a1=7fff0dc489c0 a2=7fff0dc489c0 a3=7fff0dc48710 items=1 ppid=1 pid=12322 auid=10001 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=74 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=CWD msg=audit(1298414625.077:639): cwd="/" type=PATH msg=audit(1298414625.077:639): item=0 name="/usr/share/mysql/charsets/Index.xml" inode=106619 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:usr_t:s0 type=AVC msg=audit(1298414625.078:640): avc: denied { read } for pid=12322 comm="puppetmasterd" name="Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1298414625.078:640): avc: denied { open } for pid=12322 comm="puppetmasterd" name="Index.xml" dev=vda1 ino=106619 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1298414625.078:640): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff0dc48a80 a1=0 a2=1b0 a3=7fff0dc48720 items=1 ppid=1 pid=12322 auid=10001 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=74 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
ok, I am adding files_read_usr_files(puppetmaster_t)
selinux-policy-3.7.19-101.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-101.fc13
selinux-policy-3.7.19-101.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.