Description of problem: The provided /etc/puppet/puppet.conf file moves the SSL/CA directory to /var/lib/puppet/ssl/ca but the puppet-server RPM does not provide it: # service puppetmaster start Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist [FAILED] Version-Release number of selected component (if applicable): puppet-2.6.6-1.el6.noarch puppet-server-2.6.6-1.el6.noarch How reproducible: Every time. Steps to Reproduce: 1. Install puppet and puppet-server packages 2. service puppetmaster start Actual results: # service puppetmaster start Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist [FAILED] Expected results: It should start the puppetmaster daemon. Additional info:
Do you have selinux enabled? If so, do you have any AVC denial messages (ausearch -m AVC | grep puppet)? This could be caused by selinux. The policy is fixed in Fedora 15 and has backported to EL 6, but is not yet deployed as an update. Similar issues were discussed in bug #711804 and #718390.
Yes - that's it: type=SYSCALL msg=audit(1311776220.374:119100): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3dcc7780 a1=7fffd0e00e40 a2=7fffd0e00e40 a3=a items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776220.374:119100): avc: denied { search } for pid=47089 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1311776220.374:119101): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3dcc7780 a1=7fffd0e00e40 a2=7fffd0e00e40 a3=a items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776220.374:119101): avc: denied { search } for pid=47089 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1311776220.925:119102): arch=c000003e syscall=4 success=no exit=-13 a0=215dee0 a1=7fffd0ddd660 a2=7fffd0ddd660 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776220.925:119102): avc: denied { getattr } for pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1311776221.099:119103): arch=c000003e syscall=4 success=no exit=-13 a0=21a6b20 a1=7fffd0ddd5f0 a2=7fffd0ddd5f0 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776221.099:119103): avc: denied { getattr } for pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1311776221.104:119104): arch=c000003e syscall=4 success=no exit=-13 a0=21c37c0 a1=7fffd0dd2090 a2=7fffd0dd2090 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776221.104:119104): avc: denied { getattr } for pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1311776221.109:119105): arch=c000003e syscall=4 success=no exit=-13 a0=21e02c0 a1=7fffd0dc4940 a2=7fffd0dc4940 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311776221.109:119105): avc: denied { getattr } for pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1311778033.988:40385): arch=c000003e syscall=4 success=no exit=-2 a0=7ff705b12780 a1=7fff8eecb4e0 a2=7fff8eecb4e0 a3=a items=0 ppid=2142 pid=2143 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311778033.988:40385): avc: denied { search } for pid=2143 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=SYSCALL msg=audit(1311778036.027:40386): arch=c000003e syscall=4 success=yes exit=0 a0=2e24d40 a1=7fff8eea7d00 a2=7fff8eea7d00 a3=81 items=0 ppid=2142 pid=2143 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1311778036.027:40386): avc: denied { getattr } for pid=2143 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file :: audit2allow gives me: #============= puppetmaster_t ============== allow puppetmaster_t passwd_exec_t:file { getattr execute }; allow puppetmaster_t puppet_etc_t:file { relabelfrom relabelto }; allow puppetmaster_t sysfs_t:dir search; so I'll take the latest policy file, as mentioned in bug #711804. Quick check for now with SELinux permissive mode shows it works fine. Thanks!
Excellent. Thanks for testing. If you still have AVC denials with the latest policy from Dan's repository, let us know and we can reassign this to selinux and get things fixed up.