Hide Forgot
Description of problem: There are a couple of SELinux denials when the puppetmaster service is started. They don't seem fatal. Though they shouldn't exist at all. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-56.fc16.noarch.rpm selinux-policy-targeted-3.10.0-56.fc16.noarch.rpm facter-1.6.2-1.fc16.noarch.rpm puppet-2.6.12-1.fc16.noarch.rpm puppet-server-2.6.12-1.fc16.noarch.rpm How reproducible: At least 2 times. Steps to Reproduce: 1. Install Fedora 16 2. Install puppet-server 3. I started and stopped several times the puppetmaster service, i.e. service puppetmaster start/stop. Actual results: ---- time->Wed Nov 23 21:12:05 2011 type=SERVICE_START msg=audit(1322075525.493:113): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="puppetmaster" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' ---- time->Wed Nov 23 21:12:05 2011 type=SYSCALL msg=audit(1322075525.359:112): arch=c000003e syscall=21 success=no exit=-13 a0=7fff0296a8e0 a1=4 a2=7fff0296a8ee a3=7fff0296a6f0 items=0 ppid=5314 pid=5315 auid=4294967295 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1322075525.359:112): avc: denied { read } for pid=5315 comm="puppetmasterd" name="unix" dev=proc ino=4026532000 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Wed Nov 23 21:12:22 2011 type=SERVICE_STOP msg=audit(1322075542.420:114): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="puppetmaster" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' ---- time->Wed Nov 23 21:12:27 2011 type=SERVICE_START msg=audit(1322075547.304:116): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="puppetmaster" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' ---- time->Wed Nov 23 21:12:27 2011 type=SYSCALL msg=audit(1322075547.108:115): arch=c000003e syscall=21 success=no exit=-13 a0=7fff920e4dd0 a1=4 a2=7fff920e4dde a3=7fff920e4be0 items=0 ppid=5379 pid=5380 auid=4294967295 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1322075547.108:115): avc: denied { read } for pid=5380 comm="puppetmasterd" name="unix" dev=proc ino=4026532000 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Wed Nov 23 21:23:48 2011 type=SERVICE_START msg=audit(1322076228.544:119): user pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=': comm="puppetmaster" exe="/bin/systemd" hostname=? addr=? terminal=? res=success' ---- time->Wed Nov 23 21:23:48 2011 type=SYSCALL msg=audit(1322076228.410:118): arch=c000003e syscall=21 success=no exit=-13 a0=7fffec270cc0 a1=4 a2=7fffec270cce a3=7fffec270ad0 items=0 ppid=5603 pid=5604 auid=4294967295 uid=52 gid=52 euid=52 suid=0 fsuid=52 egid=52 sgid=0 fsgid=52 tty=(none) ses=4294967295 comm="puppetmasterd" exe="/usr/bin/ruby" subj=system_u:system_r:puppetmaster_t:s0 key=(null) type=AVC msg=audit(1322076228.410:118): avc: denied { read } for pid=5604 comm="puppetmasterd" name="unix" dev=proc ino=4026532000 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file Expected results: No SELinux denials. Additional info: /var/lib/puppet/ was empty the first time because it was a fresh install.
Fixed in selinux-policy-targeted-3.10.0-59.fc16
selinux-policy-3.10.0-59.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-59.fc16
Package selinux-policy-3.10.0-60.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-60.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-60.fc16 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-61.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-61.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16371/selinux-policy-3.10.0-61.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-61.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.