Description of problem: We migrated an existing Puppet service from a RHEL5 system to a RHEL6 system. Both use EPEL for the Puppet RPMs. According to a post on the Puppet mailing list (http://bit.ly/dJ2ZPM), the only piece of the old server necessary on the new Puppet server is a copy of /var/lib/puppet/ssl/ca. I installed the Puppet RPMs on the new server, and copied over /var/lib/puppet/ssl/ca. My clients can connect to the new Puppet server, and puppetmaster seems to be functioning properly. However, numerous entries are being recorded in the audit log for puppetmasterd: type=AVC msg=audit(1298577189.194:14815): avc: denied { search } for pid=6979 comm="puppetmasterd" name="pki" dev=dm-0 ino=129841 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.194:14815): arch=c000003e syscall=2 success=no exit=-13 a0=7f508a8d2643 a1=0 a2=1b6 a3=0 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.742:14816): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="lib" dev=dm-0 ino=1510 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.742:14816): arch=c000003e syscall=189 success=no exit=-13 a0=26ede80 a1=7f5089414d59 a2=26f7e30 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.745:14817): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="facts" dev=dm-0 ino=12458 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.745:14817): arch=c000003e syscall=189 success=no exit=-13 a0=2704420 a1=7f5089414d59 a2=270e3c0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.749:14818): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="rrd" dev=dm-0 ino=12461 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.749:14818): arch=c000003e syscall=189 success=no exit=-13 a0=27216a0 a1=7f5089414d59 a2=272b640 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.753:14819): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="yaml" dev=dm-0 ino=12480 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.753:14819): arch=c000003e syscall=189 success=no exit=-13 a0=273e850 a1=7f5089414d59 a2=27487f0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.757:14820): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="reports" dev=dm-0 ino=12481 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.757:14820): arch=c000003e syscall=189 success=no exit=-13 a0=275ba10 a1=7f5089414d59 a2=27659b0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.761:14821): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="ssl" dev=dm-0 ino=12482 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.761:14821): arch=c000003e syscall=189 success=no exit=-13 a0=2774cd0 a1=7f5089414d59 a2=277ec70 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.764:14822): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="certs" dev=dm-0 ino=12483 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.764:14822): arch=c000003e syscall=189 success=no exit=-13 a0=278de80 a1=7f5089414d59 a2=2798aa0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.768:14823): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="private_keys" dev=dm-0 ino=12484 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.768:14823): arch=c000003e syscall=189 success=no exit=-13 a0=27a7fc0 a1=7f5089414d59 a2=27b2be0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.771:14824): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="public_keys" dev=dm-0 ino=12485 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.771:14824): arch=c000003e syscall=189 success=no exit=-13 a0=27c1920 a1=7f5089414d59 a2=27cc540 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.774:14825): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="certificate_requests" dev=dm-0 ino=12486 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.774:14825): arch=c000003e syscall=189 success=no exit=-13 a0=27db270 a1=7f5089414d59 a2=27e5ef0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.777:14826): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="private" dev=dm-0 ino=12487 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.777:14826): arch=c000003e syscall=189 success=no exit=-13 a0=27f5420 a1=7f5089414d59 a2=2800040 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.825:14827): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="bucket" dev=dm-0 ino=12488 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.825:14827): arch=c000003e syscall=189 success=no exit=-13 a0=2537a30 a1=7f5089414d59 a2=ef8e00 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.830:14828): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="state" dev=dm-0 ino=12489 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.830:14828): arch=c000003e syscall=189 success=no exit=-13 a0=b3aba0 a1=7f5089414d59 a2=1293060 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.836:14829): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="masterhttp.log" dev=dm-0 ino=12490 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file type=SYSCALL msg=audit(1298577189.836:14829): arch=c000003e syscall=189 success=no exit=-13 a0=c86c40 a1=7f5089414d59 a2=26f8060 a3=22 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.873:14830): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="ca" dev=dm-0 ino=12491 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.873:14830): arch=c000003e syscall=189 success=no exit=-13 a0=ffe840 a1=7f5089414d59 a2=d6bf30 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.877:14831): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="requests" dev=dm-0 ino=12492 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.877:14831): arch=c000003e syscall=189 success=no exit=-13 a0=215d690 a1=7f5089414d59 a2=26988e0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.881:14832): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="signed" dev=dm-0 ino=12493 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.881:14832): arch=c000003e syscall=189 success=no exit=-13 a0=25be620 a1=7f5089414d59 a2=2804070 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1298577189.885:14833): avc: denied { relabelto } for pid=6979 comm="puppetmasterd" name="private" dev=dm-0 ino=12494 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1298577189.885:14833): arch=c000003e syscall=189 success=no exit=-13 a0=278f330 a1=7f5089414d59 a2=27a1da0 a3=26 items=0 ppid=6978 pid=6979 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 ses=1 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) /var/lib/puppet has the following context immediately after installing the puppet-server RPM: system_u:object_r:puppet_var_lib_t:s0 Starting the puppetmaster service for the first time creates a number of directories in /var/lib/puppet with the following context: unconfined_u:object_r:puppet_var_lib_t:s0 I manually changed contexts thus: chcon -R -u system_u /var/lib/puppet/ssl/ca chcon -R -u system_u /var/lib/puppet/yaml chcon -R -u system_u /var/lib/puppet/reports/ chcon -R -u system_u /var/lib/puppet/reports chcon -R -u system_u /var/lib/puppet/rrd chcon -R -u system_u /var/lib/puppet/bucket chcon -R -u system_u /var/log/puppet/masterhttp.log This seems to have resolved the problems, and puppetmaster no longer logs any denials in the audit log. Version-Release number of selected component (if applicable): puppet-0.25.5-1.el6.noarch puppet-server-0.25.5-1.el6.noarch How reproducible: I created a KVM virtual machine running RHEL6. Subscribed to server-6 and server-optional-6 channels in Red Hat Network, as well as EPEL. Upon installing and launching puppetmasterd, I see the same problems as I saw on my production server. Steps to Reproduce: 1. yum install puppet-server 2. ls -lZ /var/lib | grep puppet 3. service puppetmaster start 4. ls -lZ /var/lib/puppet Actual results: drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 bucket drwxr-xr-x. root root unconfined_u:object_r:puppet_var_lib_t:s0 facts drwxr-xr-x. root root unconfined_u:object_r:puppet_var_lib_t:s0 lib drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 reports drwxr-xr-x. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 rrd drwxrwx--x. puppet root unconfined_u:object_r:puppet_var_lib_t:s0 ssl drwxr-xr-t. root root unconfined_u:object_r:puppet_var_lib_t:s0 state drwxr-x---. puppet puppet unconfined_u:object_r:puppet_var_lib_t:s0 yaml Expected results: I expected the context to be system_u:object_r:puppet_var_lib_t:s0 for each of the directories. Additional info:
Dan, Is the best course of action here to update selinux-policy so these directories pick up the proper context? Or can we create them in the rpm and achieve the same result? (Having directories which are created on demand get the right context seems like the best move, if possible. It would keep us from having to create directories that are not strictly needed.)
The user componant of the SELinux context indicates which user created the files. If they were default labeled they would be system_u. If you restarted a service as an admin and the service created the directories/files they would get labeled unconfined_u. For the most part SELinux does not care. We currently have restorecon ignore the user componant when it looks to see if files are different then the default, unless you run the -F command. Since you have builtin restorecon into puppetmaster, we need to allow it additional access. Miroslav puppetmaster needs domain_obj_id_change_exemption(puppetmaster_t) in RHEL6, you probably want to back port the full policy from F15.
I think this has been fixed.