711804 – puppet: Could not find a default provider for user

Bug 711804 - puppet: Could not find a default provider for user

Summary: puppet: Could not find a default provider for user

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-08 14:33 UTC by John Florian
Modified:	2011-12-04 02:33 UTC (History)
CC List:	11 users (show)
Fixed In Version:	selinux-policy-3.9.16-48.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-04 02:33:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Florian 2011-06-08 14:33:08 UTC

Description of problem:
puppet-server-2.6.6-1.fc15 (from updates-testing) has issues with the SEL policy, which causes messages like the following:

Jun  8 09:28:53 mdct-puppet puppet-master[23186]: Could not create resources for managing Puppet's files and directories in sections [:main, :ca, :ssl]: Could not find a default provider for user

audit.log shows:

type=AVC msg=audit(1307539733.291:418): avc:  denied  { getattr } for  pid=23172 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-1 ino=4782 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file


How reproducible:
always


Steps to Reproduce:
1. Get a fresh F15 installation.
2. yum install puppet
3. service puppetmaster start
  
Additional info:
This all worked fine with the current stable puppet release (0.25.5, I believe).

Comment 1 Todd Zullinger 2011-06-08 14:57:35 UTC

This affects Fedora 14 as well.  The AVC's look this this:

----
time->Wed Jun  8 05:23:15 2011
type=SYSCALL msg=audit(1307524995.200:97): arch=c000003e syscall=4 success=yes exit=0 a0=322a380 a1=7fff0cdf3130 a2=7fff0cdf3130 a3=2 items=0 ppid=1413 pid=1414 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307524995.200:97): avc:  denied  { getattr } for  pid=1414 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=5168 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 05:23:15 2011
type=SYSCALL msg=audit(1307524995.200:98): arch=c000003e syscall=21 success=yes exit=0 a0=322a380 a1=1 a2=0 a3=2 items=0 ppid=1413 pid=1414 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307524995.200:98): avc:  denied  { execute } for  pid=1414 comm="puppetmasterd" name="chage" dev=dm-0 ino=5168 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

Using audit2allow to create a local policy module works well and produces this:

#============= puppetmaster_t ==============

allow puppetmaster_t passwd_exec_t:file { getattr execute };

This access is required by puppet's user provider to allow managing password min/max age.

Comment 2 Todd Zullinger 2011-06-08 15:03:48 UTC

I will try to test rhel6 as well, if no one beats me to it.  I suspect it may also be affected.

We've had puppet-2.6.6 packages in Fedora/EPEL testing repos for a month, and I was just about to push them to stable.  I'm torn on whether to do so or wait for selinux-policy to be updated.  If this affects rhel6, that will take some time (understandably).  What mitigates the seriousness, IMO, is that it only affects new puppetmaster installs or folks attempting to use the new min/max password age features.  Existing setups should not be affected much.

Comment 3 Dominick Grift 2011-06-08 15:10:49 UTC

I think this should be fixed in the most recent available selinux policy for f15 on koji.

However, This particular event is only a check i believe. In this case it does not actually run chage.

Can you please update to latest selinux-policy for f15 and see if you can reproduce this.

It would also be nice if we can get some proof that puppet needs to actually run these apps as opposed to just checking them for execute.

this applies to:

chage
useradd
groupadd

By the way puppet CA seems to need the same. Can this be confirmed (preferable by showing AVC denials)

Comment 4 John Florian 2011-06-08 15:17:50 UTC

> I will try to test rhel6 as well, if no one beats me to it.  I suspect it may
> also be affected.

Won't be me ... all Fedora here.

> We've had puppet-2.6.6 packages in Fedora/EPEL testing repos for a month, and I
> was just about to push them to stable.

I had been about to submit a request for these and then noticed they were
already in testing.  Then I was surprised (but grateful) they were in testing
for so long.

> I'm torn on whether to do so or wait
> for selinux-policy to be updated.  If this affects rhel6, that will take some
> time (understandably).  What mitigates the seriousness, IMO, is that it only
> affects new puppetmaster installs or folks attempting to use the new min/max
> password age features.  Existing setups should not be affected much.

That's a tough one.  One would hope that admins would exercise a little change
control and not be updating their puppetmasters via cron, or if they did that
they would be able to figure out the SEL issues ... but still part of me says
it would be better to wait.

Comment 5 John Florian 2011-06-08 15:20:08 UTC

(In reply to comment #3)

> By the way puppet CA seems to need the same. Can this be confirmed (preferable
> by showing AVC denials)

Like this (with stable SEL policy, not updates-testing):

type=AVC msg=audit(1307539733.291:418): avc:  denied  { getattr } for  pid=23172 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-1 ino=4782 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

Comment 6 Dominick Grift 2011-06-08 15:27:19 UTC

(In reply to comment #5)
> (In reply to comment #3)
> 
> > By the way puppet CA seems to need the same. Can this be confirmed (preferable
> > by showing AVC denials)
> 
> Like this (with stable SEL policy, not updates-testing):
> 
> type=AVC msg=audit(1307539733.291:418): avc:  denied  { getattr } for 
> pid=23172 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-1 ino=4782
> scontext=system_u:system_r:puppetmaster_t:s0
> tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

Yes i am aware of that and as far as i know that has been taken care of in recent policy update, so would be nice if you could try it.

But we do not actually support puppet actually running the chage app and other because no one ever seem to have hit it.

So please update your policy to latest on koji and please see if you can reproduce this issue, also see if you can make puppet actually try to *run* any of these apps (chage, useradd, userdel)

Comment 7 John Florian 2011-06-08 15:43:48 UTC

(In reply to comment #6)

> So please update your policy to latest on koji and please see if you can
> reproduce this issue, also see if you can make puppet actually try to *run* any
> of these apps (chage, useradd, userdel)

Not sure what the latest policy version is.  From here, it appears to be:
selinux-policy-3.9.16-26.fc15.noarch
selinux-policy-targeted-3.9.16-26.fc15.noarch

That's what I'm running and I just confirmed that:

user { "testing123":
        ensure  => present,
}

and then again with "absent" worked as expected.  The only "problem" I'm really seeing is the noise in the log regarding "Could not create resources for managing Puppet's files and directories in sections [:main, :reporting, :metrics]: Could not find a default provider for user".

So it appears that the checks for the provider stuff makes noise, but the actual feature functions fine.

Comment 8 Dominick Grift 2011-06-08 15:51:26 UTC

Please try these packages (selinux-policy and selinux-policy-targeted):

http://koji.fedoraproject.org/koji/buildinfo?buildID=246492

And then please try to reproduce the event(s) and please enclose any AVC denials you are seeing: ausearch -m avc -ts today

Comment 9 John Florian 2011-06-08 17:25:37 UTC

Installation had some unusual output:

================================================================================================
 Package             Arch   Version        Repository                          
           Size
================================================================================================
Updating:
 selinux-policy      noarch 3.9.16-28.fc15
/selinux-policy-3.9.16-28.fc15.noarch          8.1 M
 selinux-policy-targeted
                     noarch 3.9.16-28.fc15
/selinux-policy-targeted-3.9.16-28.fc15.noarch 3.5 M

Transaction Summary
================================================================================================
Upgrade       2 Package(s)

Total size: 12 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : selinux-policy-3.9.16-28.fc15.noarch                            
            1/4 
Illegal character '<'
Illegal character '<'
Illegal character '<'
Illegal character '<'
Illegal character '<'
Illegal character '<'
Illegal character '<'
/usr/share/selinux/devel/include/services/mta.if: Syntax error on line 26199 =
[type=EQUAL]
Illegal character '>'
Illegal character '>'
Illegal character '>'
Illegal character '>'
Illegal character '>'
Illegal character '>'
Illegal character '>'
/usr/share/selinux/devel/include/services/mta.if: Syntax error on line 26220
884 [type=NUMBER]
  Updating   : selinux-policy-targeted-3.9.16-28.fc15.noarch                   
            2/4 
  Cleanup    : selinux-policy-targeted-3.9.16-26.fc15.noarch                   
            3/4 
  Cleanup    : selinux-policy-3.9.16-26.fc15.noarch                            
            4/4 

Updated:
  selinux-policy.noarch 0:3.9.16-28.fc15     selinux-policy-targeted.noarch
0:3.9.16-28.fc15    

Complete!


puppetmaster start up caused these:

----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.318:500): arch=c000003e syscall=21 success=no
exit=-13 a0=2cf66a0 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.318:500): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.324:501): arch=c000003e syscall=21 success=no
exit=-13 a0=2d13720 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.324:501): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.327:502): arch=c000003e syscall=21 success=no
exit=-13 a0=2d228b0 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.327:502): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.329:503): arch=c000003e syscall=21 success=no
exit=-13 a0=2d36fe0 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.329:503): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.333:504): arch=c000003e syscall=21 success=no
exit=-13 a0=2d4d640 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.333:504): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.336:505): arch=c000003e syscall=21 success=no
exit=-13 a0=2d616f0 a1=1 a2=0 a3=2 items=0 ppid=3185 pid=3186 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.336:505): avc:  denied  { execute } for  pid=3186
comm="puppetmasterd" name="chage" dev=dm-1 ino=4782
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 13:19:13 2011
type=SYSCALL msg=audit(1307553553.341:506): arch=c000003e syscall=42 success=no
exit=-13 a0=6 a1=7fffcf309170 a2=6e a3=7fffcf308d90 items=0 ppid=3185 pid=3186
auid=4294967295 uid=0 gid=52 euid=0 suid=0 fsuid=0 egid=52 sgid=0 fsgid=52
tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby"
subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307553553.341:506): avc:  denied  { search } for  pid=3186
comm="puppetmasterd" name="sss" dev=dm-1 ino=26862
scontext=system_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


However, the same test to add/remove a test user worked great without causing
any AVCs.

Comment 10 Dominick Grift 2011-06-08 17:43:14 UTC

Ok this was not fixed but it should be fixed now here:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=8202c6bd48ab2ad19655a33b3cac7e42f1321185

puppetmaster does not execute any of those apps, it uses some library that does these checks on these apps.

Comment 11 Dominick Grift 2011-06-08 17:48:27 UTC

I have been told that puppetmaster does not add or delete users. I guess i am not informed properly.

Comment 12 Dominick Grift 2011-06-08 17:50:16 UTC

Can you please test /reproduce it in permissive mode?

Comment 13 John Florian 2011-06-08 17:57:09 UTC

(In reply to comment #11)
> I have been told that puppetmaster does not add or delete users. I guess i am
> not informed properly.

That's correct AFAIK.  The puppetmaster possesses the instructions for adding/removing users, but the puppet client is what actually makes those calls.  To keep my testing simple here, I'm running puppet on the same host as the master, but the above rule still holds.

(In reply to comment #12)
> Can you please test /reproduce it in permissive mode?

Using which versions of the policy?

Comment 14 Dominick Grift 2011-06-08 18:05:11 UTC

Just this latest will be fine. I added the rules for the "execute" AVC denials you enclosed above to the rawhide master branch. Mgrepl would need to apply it to f15/f14 etc.

I was kind of confused, but i hope we can both agree that puppetmaster does not actually run chage, useradd or userdel, but that whatever lib its calling is checking whether those apps are executable.

Comment 15 John Florian 2011-06-08 18:21:38 UTC

(In reply to comment #14)
> Just this latest will be fine. I added the rules for the "execute" AVC denials
> you enclosed above to the rawhide master branch. Mgrepl would need to apply it
> to f15/f14 etc.

Okay, here's the AVCs from restarting puppetmaster with those koji policies in place:

----
time->Wed Jun  8 14:13:21 2011
type=SYSCALL msg=audit(1307556801.046:567): arch=c000003e syscall=21 success=yes exit=0 a0=2a58790 a1=1 a2=0 a3=2 items=0 ppid=8197 pid=8198 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307556801.046:567): avc:  denied  { execute } for  pid=8198 comm="puppetmasterd" name="chage" dev=dm-1 ino=4782 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Wed Jun  8 14:13:21 2011
type=SYSCALL msg=audit(1307556801.523:568): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=7fff8de2b720 a2=6e a3=7fff8de2b340 items=0 ppid=8197 pid=8198 auid=4294967295 uid=0 gid=52 euid=0 suid=0 fsuid=0 egid=52 sgid=0 fsgid=52 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1307556801.523:568): avc:  denied  { connectto } for  pid=8198 comm="puppetmasterd" path="/var/lib/sss/pipes/nss" scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1307556801.523:568): avc:  denied  { write } for  pid=8198 comm="puppetmasterd" name="nss" dev=dm-1 ino=4142 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=sock_file
type=AVC msg=audit(1307556801.523:568): avc:  denied  { search } for  pid=8198 comm="puppetmasterd" name="sss" dev=dm-1 ino=26862 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=dir


> I was kind of confused, but i hope we can both agree that puppetmaster does not
> actually run chage, useradd or userdel, but that whatever lib its calling is
> checking whether those apps are executable.

Yes, we agree.  The point I was trying to make was that only puppet would call those tools (directly or indirectly) and that puppetmaster would not ever do that (directly or indirectly).  However, looking at the above AVCs from just a simple restart of the master, I'd have to say my original assumption was wrong.  Now whether the master makes those calls directly or indirectly, I have no idea, but I'll be happy to agree with you.  :-)

Comment 16 Dominick Grift 2011-06-08 18:35:33 UTC

/me breathes a sigh of relief :)

I also took care of the sssd issue in master branch, mgrepl will need to add that to f14/f15:

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=8bb61f5770a32339f4db555e05d73cf14c37c0e0

Comment 17 John Florian 2011-06-08 18:44:27 UTC

(In reply to comment #16)
> /me breathes a sigh of relief :)

Likewise!

> I also took care of the sssd issue in master branch

Oh yes, thanks for that.  I had meant to mention it, but am suffering from a bit of stack overflow today.

Comment 18 Todd Zullinger 2011-06-08 19:00:19 UTC

Thanks for tracking this down John and Dominic!  I'd setup f14 and f15 VM's to poke at and I agree that puppetmasterd does not directly execute chage.  I didn't find the root in puppet's code, but I'd suspect it's either in the general puppet tests for type/provider tools or in the ruby-shadow library.

Anyway, I'll watch for some updated selinux-policy packages to test.

Comment 19 Cristian Ciupitu 2011-06-08 20:30:02 UTC

I did a small experiment to test what's really going on. I replaced chage and useradd on a Fedora 15 system with some shell scripts that log the time of the execution in a file. Then I started the puppetmaster service and looked at the logs. The logs were empty which means that puppetmaster does not run those commands.

Comment 20 Cristian Ciupitu 2011-06-08 20:30:33 UTC

I forgot to mention that I used puppet-server-2.6.8-1.fc15.noarch.

Comment 21 Todd Zullinger 2011-06-08 20:41:30 UTC

Heh, I had done the same test as well, using 2.6.6 from updates-testing. ;)

Comment 22 Miroslav Grepl 2011-06-27 10:42:49 UTC

(In reply to comment #16)
> /me breathes a sigh of relief :)
> 
> I also took care of the sssd issue in master branch, mgrepl will need to add
> that to f14/f15:
> 
> http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=8bb61f5770a32339f4db555e05d73cf14c37c0e0

I missed this one.

Fixed in selinux-policy-3.9.16-30.fc15

Comment 23 Fedora Update System 2011-06-30 15:58:57 UTC

selinux-policy-3.9.16-31.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-31.fc15

Comment 24 Yury V. Zaytsev 2011-06-30 17:32:19 UTC

I am working on packaging puppet 2.7.1 for RHEL6. So far I hit two issues, the one described in this bug and the following one:

$ sudo service puppetmaster start
Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist
                                                           [FAILED]

The first one I didn't fix yet, will probably install a local policy for now, the second one I fixed by adding the directory to the puppet-server RPM:

rpmforge/specs/puppet$ git diff
diff --git a/specs/puppet/puppet.spec b/specs/puppet/puppet.spec
index a614b5f..a19bb35 100644
--- a/specs/puppet/puppet.spec
+++ b/specs/puppet/puppet.spec
@@ -119,9 +119,9 @@ ruby install.rb --destdir=%{buildroot} --quick --no-rdoc
 
 install -d -m0755 %{buildroot}%{_sysconfdir}/puppet/manifests
 install -d -m0755 %{buildroot}%{_datadir}/%{name}/modules
-install -d -m0755 %{buildroot}%{_localstatedir}/lib/puppet
 install -d -m0755 %{buildroot}%{_localstatedir}/run/puppet
 install -d -m0750 %{buildroot}%{_localstatedir}/log/puppet
+install -dp -m0755 %{buildroot}%{_localstatedir}/lib/puppet/ssl/ca
 install -Dp -m0644 %{confdir}/client.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/puppet
 install -Dp -m0755 %{confdir}/client.init %{buildroot}%{_initrddir}/puppet
 install -Dp -m0644 %{confdir}/server.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/puppetmaster
@@ -186,7 +186,7 @@ find %{buildroot}%{ruby_sitelibdir} -type f -perm +ugo+x -print0 | xargs -0 -r %
 %{_sbindir}/puppetd
 
 %defattr(-, puppet, puppet, 0755)
-%{_localstatedir}/lib/puppet/
+%dir %{_localstatedir}/lib/puppet/
 %{_localstatedir}/log/puppet/
 %{_localstatedir}/run/puppet/
 
@@ -206,6 +206,7 @@ find %{buildroot}%{ruby_sitelibdir} -type f -perm +ugo+x -print0 | xargs -0 -r %
 %{_sbindir}/puppetqd
 %{_sbindir}/puppetrun
 %dir %{_sysconfdir}/puppet/manifests/
+%{_localstatedir}/lib/puppet/ssl/
 
 %files -n emacs-puppet
 %defattr(-, root, root, -)

Hope that helps!

Comment 25 Yury V. Zaytsev 2011-06-30 18:35:01 UTC

The AVC denials that I'm seeing on RHEL6 with puppetmaster from puppet 2.7.1:

$ sudo ausearch -m avc -ts today
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.228:3527): arch=c000003e syscall=4 success=no exit=-13 a0=7f81888f3780 a1=7fffa6c8bb60 a2=7fffa6c8bb60 a3=a items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.228:3527): avc:  denied  { search } for  pid=25458 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.228:3528): arch=c000003e syscall=4 success=no exit=-13 a0=7f81888f3780 a1=7fffa6c8bb60 a2=7fffa6c8bb60 a3=a items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.228:3528): avc:  denied  { search } for  pid=25458 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.459:3529): arch=c000003e syscall=4 success=no exit=-13 a0=2336360 a1=7fffa6c64d80 a2=7fffa6c64d80 a3=81 items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.459:3529): avc:  denied  { getattr } for  pid=25458 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.463:3530): arch=c000003e syscall=4 success=no exit=-13 a0=2354fb0 a1=7fffa6c64d10 a2=7fffa6c64d10 a3=81 items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.463:3530): avc:  denied  { getattr } for  pid=25458 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.464:3531): arch=c000003e syscall=4 success=no exit=-13 a0=2368ae0 a1=7fffa6c597b0 a2=7fffa6c597b0 a3=81 items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.464:3531): avc:  denied  { getattr } for  pid=25458 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:06:18 2011
type=SYSCALL msg=audit(1309453578.466:3532): arch=c000003e syscall=4 success=no exit=-13 a0=237cd10 a1=7fffa6c4d020 a2=7fffa6c4d020 a3=81 items=0 ppid=25457 pid=25458 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309453578.466:3532): avc:  denied  { getattr } for  pid=25458 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.729:3558): arch=c000003e syscall=4 success=no exit=-13 a0=7faf95c43780 a1=7fff24f42270 a2=7fff24f42270 a3=a items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.729:3558): avc:  denied  { search } for  pid=25729 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.729:3559): arch=c000003e syscall=4 success=no exit=-13 a0=7faf95c43780 a1=7fff24f42270 a2=7fff24f42270 a3=a items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.729:3559): avc:  denied  { search } for  pid=25729 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.956:3560): arch=c000003e syscall=4 success=no exit=-13 a0=1d9c640 a1=7fff24f1b490 a2=7fff24f1b490 a3=81 items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.956:3560): avc:  denied  { getattr } for  pid=25729 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.959:3561): arch=c000003e syscall=4 success=no exit=-13 a0=1dbb290 a1=7fff24f1b420 a2=7fff24f1b420 a3=81 items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.959:3561): avc:  denied  { getattr } for  pid=25729 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.961:3562): arch=c000003e syscall=4 success=no exit=-13 a0=1dcedc0 a1=7fff24f0fec0 a2=7fff24f0fec0 a3=81 items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.961:3562): avc:  denied  { getattr } for  pid=25729 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.962:3563): arch=c000003e syscall=4 success=no exit=-13 a0=1de2ff0 a1=7fff24f03730 a2=7fff24f03730 a3=81 items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.962:3563): avc:  denied  { getattr } for  pid=25729 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Jun 30 19:20:41 2011
type=SYSCALL msg=audit(1309454441.989:3564): arch=c000003e syscall=4 success=no exit=-13 a0=1df02b0 a1=7fff24f0dfb0 a2=7fff24f0dfb0 a3=81 items=0 ppid=25728 pid=25729 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=484 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1309454441.989:3564): avc:  denied  { getattr } for  pid=25729 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=786740 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

Comment 26 Yury V. Zaytsev 2011-06-30 20:46:26 UTC

The /var/lib/puppet/ssl/ca error was also caused by SELinux.

I came up with the following policy and now at least puppetmaster of puppet 2.7.1 starts:

module puppetmaster 1.0;

require {
    type puppetmaster_t;
    type sysfs_t;
    type passwd_exec_t;
    class file { execute getattr };
    class dir search;
}

#============= puppetmaster_t ==============

allow puppetmaster_t passwd_exec_t:file execute;
allow puppetmaster_t passwd_exec_t:file getattr;

allow puppetmaster_t sysfs_t:dir search;

Is it a good idea? If it is, I'd like to package it for RepoForge. Thanks!

Comment 27 Daniel Walsh 2011-07-01 11:36:51 UTC

Yes we can check this better in later Fedora, since puppetmaster is just doing an access check.  In F14/F15 we can differentiate this from actually run the executable.

Allowing puppetmaster to exxecute passwd is not a risk unless we allow it to modify etc_t or shadow_t.

I have no problem allowing this access.

But Yuri you should open a rhel6.1 bugzilla.

Comment 28 Dominick Grift 2011-07-01 12:59:49 UTC

audit_access does not work for this... it really just needs getattr and execute.

Comment 29 Fedora Update System 2011-07-01 18:55:25 UTC

Package selinux-policy-3.9.16-32.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-32.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-32.fc15
then log in and leave karma (feedback).

Comment 30 Yury V. Zaytsev 2011-07-02 10:14:42 UTC

Thank you for your comments! Created bug #718390 against RHEL6.

Comment 31 Fedora Update System 2011-07-08 18:09:41 UTC

selinux-policy-3.9.16-32.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Scott Poore 2011-10-07 00:08:50 UTC

I believe I'm seeing a similar issue.   I tried updating selinux-policy from updates repo but, I'm still seeing failures starting puppetmaster.   

[root@vm01 ~]# rpm -qa|egrep "selinux-policy|puppet"
selinux-policy-3.9.16-39.fc15.noarch
puppet-2.6.6-1.fc15.noarch
puppet-server-2.6.6-1.fc15.noarch
selinux-policy-targeted-3.9.16-39.fc15.noarch

[root@vm01 ~]# date
Thu Oct  6 19:04:00 CDT 2011

[root@vm01 ~]# service puppetmaster start
Starting puppetmaster (via systemctl):  Job failed. See system logs and 'systemctl status' for details.
                                                           [FAILED]
[root@vm01 ~]# grep 19:04 /var/log/messages 
Oct  6 16:19:04 vm01 yum[3668]: Updated: file-5.07-4.fc15.x86_64
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:main, :master, :ssl]: Could not find a default provider for user
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:ca]: Could not find a default provider for user
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl, :ca]: Could not find a default provider for user
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: Could not find a default provider for user
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: Could not find a default provider for user
Oct  6 19:04:09 vm01 puppet-master[1523]: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: Could not find a default provider for user
Oct  6 19:04:10 vm01 systemd[1]: puppetmaster.service: control process exited, code=exited status=1
Oct  6 19:04:10 vm01 systemd[1]: Unit puppetmaster.service entered failed state.

[root@vm01 ~]# ausearch -m avc -ts 19:04
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.645:107): arch=c000003e syscall=21 success=no exit=-13 a0=2803d90 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.645:107): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.731:108): arch=c000003e syscall=21 success=no exit=-13 a0=27f6060 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.731:108): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.758:109): arch=c000003e syscall=21 success=no exit=-13 a0=23f6ea0 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.758:109): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.788:110): arch=c000003e syscall=21 success=no exit=-13 a0=265f360 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.788:110): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.828:111): arch=c000003e syscall=21 success=no exit=-13 a0=2573510 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.828:111): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file
----
time->Thu Oct  6 19:04:09 2011
type=SYSCALL msg=audit(1317945849.858:112): arch=c000003e syscall=21 success=no exit=-13 a0=2ddcd80 a1=1 a2=0 a3=2 items=0 ppid=1522 pid=1523 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null)
type=AVC msg=audit(1317945849.858:112): avc:  denied  { execute } for  pid=1523 comm="puppetmasterd" name="chage" dev=dm-1 ino=574802 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

Any help would be greatly appreciated.   

Thanks,
Scott

Comment 33 Miroslav Grepl 2011-10-07 07:21:24 UTC

Fixed in selinux-policy-3.9.16-43.fc15

Comment 34 Scott Poore 2011-10-08 00:29:18 UTC

Where can I grab a copy to test?   I looked on the koji and admin sites and couldn't find it.

Comment 35 Miroslav Grepl 2011-10-10 11:05:08 UTC

A new build will be available today.

Comment 36 Adam Huffman 2011-10-11 16:20:19 UTC

Could you make an F14 build as well?

Thanks

Comment 37 Scott Poore 2011-10-13 17:41:49 UTC

selinux-policy-3.9.16-43.fc15 fixed my issue:

[root@vm01 ~]# service puppetmaster start
Starting puppetmaster (via systemctl):                     [  OK  ]

[root@vm01 ~]# grep 12:40.*puppet-master /var/log/messages
Oct 13 12:40:11 vm01 puppet-master[14554]: Reopening log files
Oct 13 12:40:11 vm01 puppet-master[14554]: Starting Puppet master version 2.6.6

[root@vm01 ~]# ausearch -m avc -ts yesterday
<no matches>

Thanks!

Comment 38 Adam Huffman 2011-10-19 16:42:44 UTC

Just another request for an F14 build to fix this problem, if possible...

Comment 39 Fedora Update System 2011-11-16 16:15:16 UTC

selinux-policy-3.9.16-48.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-48.fc15

Comment 40 Fedora Update System 2011-11-17 23:33:56 UTC

Package selinux-policy-3.9.16-48.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-48.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16023/selinux-policy-3.9.16-48.fc15
then log in and leave karma (feedback).

Comment 41 Fedora Update System 2011-12-04 02:33:25 UTC

selinux-policy-3.9.16-48.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.