[colug-432] Puppet + Subversion + SELinux

Thu Feb 24 13:37:59 EST 2011

On Thu, 24 Feb 2011, Scott Merrill wrote:

> for its various files; but I suspect that the SELinux context issue
> will still arise. Indeed, I did try placing the files in
> /usr/local/puppet, and setting the context on that directory to
> httpd_sys_content_t so that the post-commit hook could write to it.
   *******************
> While the puppetmaster daemon started, the audit log reported a number
> of denials:
>
> type=AVC msg=audit(1298560236.944:186278): avc:  denied  { search }
> for  pid=3254 comm="puppetmasterd" name="pki" dev=dm-0 ino=1703985
> scontext=unconfined_u:system_r:puppetmaster_t:s0
> tcontext=system_u:object_r:cert_t:s0 tclass=dir
            ***************************

here the puppetmasterd is looking to read a certificate, and 
the read is blocked because there is not an allow rule in the 
indicated context.  From the puppet mailing list, I know that 
this has caused hard to diagnose issues

> type=AVC msg=audit(1298560237.269:186279): avc:  denied  { getattr }
> for  pid=3254 comm="puppetmasterd"
> path="/usr/local/puppet/manifests/site.pp" dev=dm-0 ino=5224
> scontext=unconfined_u:system_r:puppetmaster_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

again, the .pp script is read-blocked, and so will fail is a 
manner which might be predicted by examining the caller and 
the code not able to be read

> I don't know enough about SELinux (or Puppet, frankly) to know how
> serious those messages are to the successful operation of the Puppet
> system.

I wrote a blog post on this, and using an interative process 
of adding SELinux rules a while ago ... /me looks

http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html
 	and a followup on using loop mounted ISOs with vsftpd
http://orcorc.blogspot.com/2010/12/loop-de-loop.html

Basically, the process is to run a new application through all 
its options, to cause all code paths to be _attempted_ [and 
initially blocked by SELinux].  With that in hand one 
'loosens' a bit with a new ruleset, and repeats the process. 
Eventually, one ends up with a complete rule set, but it is an 
iterative process.

Wih that in hand, one builds a local ruleset to merge into the 
defaults which one gets with one's distribution, and to load 
and enfore crom boot time, on ...

This will apply equally well in any recent Red Hat derived 
distribution.

I might note that Steve Smalley, and others involved with 
SELinux at the NSA and Red Hat welcome, and are quite 
responsive to reports of problems through the Red Hat 
bugzilla, and also on their mailing list.  They actively 
solicit and promptle resolve such access issues.

I note you have used the /usr/local/ point in the file syste, 
which Red Hat has intentionally avoided.  This implies local 
non-package managed content, although this is not a necessary 
constraint.  It may be worth participating in the puppet 
mailing list, and generalizing and upstreaming your code so 
it gets folded into the base distribution [the puppet folks 
are also an active and enthusiastic bunch]

[Subversion is NOT where the 'cool kids' play these days -- 
they have all moved to the 'git' dvcs, and github and 
work-alikes, it seems  ;) ]

-- Russ herrold