[colug-432] Puppet + Subversion + SELinux
Scott Merrill
skippy at skippy.net
Thu Feb 24 15:18:53 EST 2011
On Thu, Feb 24, 2011 at 3:09 PM, R P Herrold <herrold at owlriver.com> wrote:
> On Thu, 24 Feb 2011, Scott Merrill wrote:
>> Out of the box, I would expect the puppetmasterd daemon to have the
>> necessary (SELinux) permissions to read /etc/puppet, since that's
>> where the files live, by default.
>>
>> The actual denial is { getattr }. Does that prevent the reading of the
>> file altogether? That's not entirely clear to me.
>
> When the puppetmasterd process 'stat's the file, this is
> blocked, and any later read will fail, as the puppetmasterd
> (probably) concludes from the failed stat that there no file
> there, that there is a permissions problem, or such. We would
> have to strace the code to see just where the read is being
> attempted, but the bottom line is that the 'denied' needs to
> be resolved [see the scripts annexed to my prior reference to
> the blog posts]
> /usr/local/puppet/manifests/site.pp
> that is being blocked. This is not down the tree:
> /etc/puppet
>
> ... later
Ahhh! The use of /usr/local/puppet was my attempt to avoid SELinux by
placing all of this in a non-standard location, as mentioned in
response to Joshua Kramer. This effort was aborted. I should've looked
more carefully at the audit log snippets I pasted.
Thanks for helping me catch that.
Cheers,
Scott
More information about the colug-432
mailing list