Bug 726061 - puppetmaster fails on startup due to missing SSL/CA directory
Summary: puppetmaster fails on startup due to missing SSL/CA directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: puppet
Version: el6
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Jeroen van Meeuwen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-27 12:52 UTC by Gavin McCance
Modified: 2013-03-18 14:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-18 14:59:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Gavin McCance 2011-07-27 12:52:46 UTC 
Description of problem:

The provided /etc/puppet/puppet.conf file moves the SSL/CA directory to /var/lib/puppet/ssl/ca but the puppet-server RPM does not provide it:


  # service puppetmaster start

Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist
                                                           [FAILED]



Version-Release number of selected component (if applicable):

puppet-2.6.6-1.el6.noarch
puppet-server-2.6.6-1.el6.noarch


How reproducible:

Every time.

Steps to Reproduce:
1. Install puppet and puppet-server packages
2. service puppetmaster start

  
Actual results:

  # service puppetmaster start

Starting puppetmaster: Could not prepare for execution: Cannot save ca; parent directory /var/lib/puppet/ssl/ca does not exist
                                                           [FAILED]


Expected results:

It should start the puppetmaster daemon.


Additional info:
Comment 1 Todd Zullinger 2011-07-27 13:27:54 UTC 
Do you have selinux enabled?  If so, do you have any AVC denial messages (ausearch -m AVC | grep puppet)?

This could be caused by selinux. The policy is fixed in Fedora 15 and has backported to EL 6, but is not yet deployed as an update. Similar issues were discussed in bug #711804 and #718390.
Comment 2 Gavin McCance 2011-07-27 15:08:26 UTC 
Yes - that's it:

type=SYSCALL msg=audit(1311776220.374:119100): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3dcc7780 a1=7fffd0e00e40 a2=7fffd0e00e40 a3=a items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776220.374:119100): avc:  denied  { search } for  pid=47089 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1311776220.374:119101): arch=c000003e syscall=4 success=no exit=-13 a0=7ffc3dcc7780 a1=7fffd0e00e40 a2=7fffd0e00e40 a3=a items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776220.374:119101): avc:  denied  { search } for  pid=47089 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

type=SYSCALL msg=audit(1311776220.925:119102): arch=c000003e syscall=4 success=no exit=-13 a0=215dee0 a1=7fffd0ddd660 a2=7fffd0ddd660 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776220.925:119102): avc:  denied  { getattr } for  pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1311776221.099:119103): arch=c000003e syscall=4 success=no exit=-13 a0=21a6b20 a1=7fffd0ddd5f0 a2=7fffd0ddd5f0 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776221.099:119103): avc:  denied  { getattr } for  pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1311776221.104:119104): arch=c000003e syscall=4 success=no exit=-13 a0=21c37c0 a1=7fffd0dd2090 a2=7fffd0dd2090 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776221.104:119104): avc:  denied  { getattr } for  pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1311776221.109:119105): arch=c000003e syscall=4 success=no exit=-13 a0=21e02c0 a1=7fffd0dc4940 a2=7fffd0dc4940 a3=81 items=0 ppid=47088 pid=47089 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2534 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311776221.109:119105): avc:  denied  { getattr } for  pid=47089 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

type=SYSCALL msg=audit(1311778033.988:40385): arch=c000003e syscall=4 success=no exit=-2 a0=7ff705b12780 a1=7fff8eecb4e0 a2=7fff8eecb4e0 a3=a items=0 ppid=2142 pid=2143 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311778033.988:40385): avc:  denied  { search } for  pid=2143 comm="puppetmasterd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1311778036.027:40386): arch=c000003e syscall=4 success=yes exit=0 a0=2e24d40 a1=7fff8eea7d00 a2=7fff8eea7d00 a3=81 items=0 ppid=2142 pid=2143 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="puppetmasterd" exe="/usr/bin/ruby" subj=unconfined_u:system_r:puppetmaster_t:s0 key=(null)

type=AVC msg=audit(1311778036.027:40386): avc:  denied  { getattr } for  pid=2143 comm="puppetmasterd" path="/usr/bin/chage" dev=dm-0 ino=937394 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:passwd_exec_t:s0 tclass=file

::

audit2allow gives me:

#============= puppetmaster_t ==============
allow puppetmaster_t passwd_exec_t:file { getattr execute };
allow puppetmaster_t puppet_etc_t:file { relabelfrom relabelto };
allow puppetmaster_t sysfs_t:dir search;

so I'll take the latest policy file, as mentioned in bug #711804.


Quick check for now with SELinux permissive mode shows it works fine. Thanks!
Comment 3 Todd Zullinger 2011-07-27 16:40:28 UTC 
Excellent.  Thanks for testing.  If you still have AVC denials with the latest policy from Dan's repository, let us know and we can reassign this to selinux and get things fixed up.
Note You need to log in before you can comment on or make changes to this bug.