Puppet users - Feb 2009 - selinux problem? which appeared for "no apparent reason" and which I can't kilil

Darned thing is suddenly failing.  We had a reboot last night, and I
changed a couple of files today too, so either one could somehow be
responsible.  But I can''t figure out how from this crash.  First I
noticed
that my changes weren''t updating.  Then I noticed that puppet
wasn''t
running.  Then I found that it won''t, in fact, run.

/selinux contains only a single file, enable, which contains the character
0.  Selinux is in fact disabled.

I''m running puppet-0.24.6-1.el5 on Centos 5.2.

[ddb@prcapp02 ~]$ sudo service puppet start
Starting puppet:
/usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:735:in `use'': Got
16
failure(s) while initializing: change from absent to system_u failed:
Execution of ''/usr/bin/chcon -h -u system_u /var/log/puppet''
returned 1:
/usr/bin/chcon: can''t apply partial context to unlabeled file
/var/log/puppet (RuntimeError)
; change from absent to object_r failed: Execution of ''/usr/bin/chcon
-h
-r object_r /var/log/puppet'' returned 1: /usr/bin/chcon: can''t
apply
partial context to unlabeled file /var/log/puppet
; change from absent to var_log_t failed: Execution of ''/usr/bin/chcon
-h
-t var_log_t /var/log/puppet'' returned 1: /usr/bin/chcon:
can''t apply
partial context to unlabeled file /var/log/puppet
; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l
s0
/var/log/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
to unlabeled file /var/log/puppet
; change from absent to system_u failed: Execution of ''/usr/bin/chcon
-h
-u system_u /var/run/puppet'' returned 1: /usr/bin/chcon: can''t
apply
partial context to unlabeled file /var/run/puppet
; change from absent to object_r failed: Execution of ''/usr/bin/chcon
-h
-r object_r /var/run/puppet'' returned 1: /usr/bin/chcon: can''t
apply
partial context to unlabeled file /var/run/puppet
; change from absent to var_run_t failed: Execution of ''/usr/bin/chcon
-h
-t var_run_t /var/run/puppet'' returned 1: /usr/bin/chcon:
can''t apply
partial context to unlabeled file /var/run/puppet
; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l
s0
/var/run/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
to unlabeled file /var/run/puppet
; change from absent to system_u failed: Execution of ''/usr/bin/chcon
-h
-u system_u /etc/puppet'' returned 1: /usr/bin/chcon: can''t
apply partial
context to unlabeled file /etc/puppet
; change from absent to object_r failed: Execution of ''/usr/bin/chcon
-h
-r object_r /etc/puppet'' returned 1: /usr/bin/chcon: can''t
apply partial
context to unlabeled file /etc/puppet
; change from absent to etc_t failed: Execution of ''/usr/bin/chcon -h
-t
etc_t /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
to unlabeled file /etc/puppet
; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l
s0
/etc/puppet'' returned 1: /usr/bin/chcon: can''t apply partial
context to
unlabeled file /etc/puppet
; change from absent to system_u failed: Execution of ''/usr/bin/chcon
-h
-u system_u /var/lib/puppet'' returned 1: /usr/bin/chcon: can''t
apply
partial context to unlabeled file /var/lib/puppet
; change from absent to object_r failed: Execution of ''/usr/bin/chcon
-h
-r object_r /var/lib/puppet'' returned 1: /usr/bin/chcon: can''t
apply
partial context to unlabeled file /var/lib/puppet
; change from absent to var_lib_t failed: Execution of ''/usr/bin/chcon
-h
-t var_lib_t /var/lib/puppet'' returned 1: /usr/bin/chcon:
can''t apply
partial context to unlabeled file /var/lib/puppet
; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h -l
s0
/var/lib/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
to unlabeled file /var/lib/puppet
        from /usr/lib/ruby/site_ruby/1.8/puppet/node/catalog.rb:136:in
`apply''
        from /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:731:in
`use''
        from /usr/lib/ruby/1.8/sync.rb:229:in `synchronize''
        from /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:711:in
`use''
        from
/usr/lib/ruby/site_ruby/1.8/puppet/network/client/master.rb:197:in
`initialize''
        from /usr/sbin/puppetd:328:in `new''
        from /usr/sbin/puppetd:328
                                                           [FAILED]


(Sorry if this is a duplicate; it looks to me like I botched the post last
try.)

-- 
David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hello there

So,
-> what files did you change in puppet, and the OS itself,
-> what''s the output of sestatus?

Easiest way to start is probably to do a `setenforce 0` (which will
put you into permissive) and see if that fixes things.

Also ensure auditd and setroubleshoot are running and check the /var/
log/audit/* and /var/log/messages files for the errors. I believe the
audit logs should give you a command to run that tells you how to fix
the problem... this is of course assuming you are running with selinux
enabled and enforcing (from memory though CentOS does do that by
default...).

Cheers
chakkerz

On Feb 12, 8:20 am, "David Dyer-Bennet" <d...@dd-b.net>
wrote:
> Darned thing is suddenly failing.  We had a reboot last night, and I
> changed a couple of files today too, so either one could somehow be
> responsible.  But I can''t figure out how from this crash.  First I
noticed
> that my changes weren''t updating.  Then I noticed that puppet
wasn''t
> running.  Then I found that it won''t, in fact, run.
>
> /selinux contains only a single file, enable, which contains the character
> 0.  Selinux is in fact disabled.
>
> I''m running puppet-0.24.6-1.el5 on Centos 5.2.
>
> [ddb@prcapp02 ~]$ sudo service puppet start
> Starting puppet:
> /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:735:in `use'':
Got 16
> failure(s) while initializing: change from absent to system_u failed:
> Execution of ''/usr/bin/chcon -h -u system_u
/var/log/puppet'' returned 1:
> /usr/bin/chcon: can''t apply partial context to unlabeled file
> /var/log/puppet (RuntimeError)
> ; change from absent to object_r failed: Execution of
''/usr/bin/chcon -h
> -r object_r /var/log/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/log/puppet
> ; change from absent to var_log_t failed: Execution of
''/usr/bin/chcon -h
> -t var_log_t /var/log/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/log/puppet
> ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h
-l s0
> /var/log/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
> to unlabeled file /var/log/puppet
> ; change from absent to system_u failed: Execution of
''/usr/bin/chcon -h
> -u system_u /var/run/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/run/puppet
> ; change from absent to object_r failed: Execution of
''/usr/bin/chcon -h
> -r object_r /var/run/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/run/puppet
> ; change from absent to var_run_t failed: Execution of
''/usr/bin/chcon -h
> -t var_run_t /var/run/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/run/puppet
> ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h
-l s0
> /var/run/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
> to unlabeled file /var/run/puppet
> ; change from absent to system_u failed: Execution of
''/usr/bin/chcon -h
> -u system_u /etc/puppet'' returned 1: /usr/bin/chcon:
can''t apply partial
> context to unlabeled file /etc/puppet
> ; change from absent to object_r failed: Execution of
''/usr/bin/chcon -h
> -r object_r /etc/puppet'' returned 1: /usr/bin/chcon:
can''t apply partial
> context to unlabeled file /etc/puppet
> ; change from absent to etc_t failed: Execution of ''/usr/bin/chcon
-h -t
> etc_t /etc/puppet'' returned 1: /usr/bin/chcon: can''t
apply partial context
> to unlabeled file /etc/puppet
> ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h
-l s0
> /etc/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context to
> unlabeled file /etc/puppet
> ; change from absent to system_u failed: Execution of
''/usr/bin/chcon -h
> -u system_u /var/lib/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/lib/puppet
> ; change from absent to object_r failed: Execution of
''/usr/bin/chcon -h
> -r object_r /var/lib/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/lib/puppet
> ; change from absent to var_lib_t failed: Execution of
''/usr/bin/chcon -h
> -t var_lib_t /var/lib/puppet'' returned 1: /usr/bin/chcon:
can''t apply
> partial context to unlabeled file /var/lib/puppet
> ; change from absent to s0 failed: Execution of ''/usr/bin/chcon -h
-l s0
> /var/lib/puppet'' returned 1: /usr/bin/chcon: can''t apply
partial context
> to unlabeled file /var/lib/puppet
>         from /usr/lib/ruby/site_ruby/1.8/puppet/node/catalog.rb:136:in
> `apply''
>         from /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:731:in
`use''
>         from /usr/lib/ruby/1.8/sync.rb:229:in `synchronize''
>         from /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:711:in
`use''
>         from
> /usr/lib/ruby/site_ruby/1.8/puppet/network/client/master.rb:197:in
> `initialize''
>         from /usr/sbin/puppetd:328:in `new''
>         from /usr/sbin/puppetd:328
>                                                            [FAILED]
>
> (Sorry if this is a duplicate; it looks to me like I botched the post last
> try.)
>
> --
> David Dyer-Bennet, d...@dd-b.net;http://dd-b.net/
> Snapshots:http://dd-b.net/dd-b/SnapshotAlbum/data/
> Photos:http://dd-b.net/photography/gallery/
> Dragaera:http://dragaera.info
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

David Dyer-Bennet wrote:
> Darned thing is suddenly failing.  We had a reboot last night, and I
> changed a couple of files today too, so either one could somehow be
> responsible.  But I can''t figure out how from this crash.  First I
noticed
> that my changes weren''t updating.  Then I noticed that puppet
wasn''t
> running.  Then I found that it won''t, in fact, run.
> 
> /selinux contains only a single file, enable, which contains the character
> 0.  Selinux is in fact disabled.
Normally, /selinux is a proc-like filesystem which contains information about
the state of selinux.  If you have selinux completely disabled, though, it
shouldn''t be mounted at all, and so should be completely empty.  This
sounds
like something tried to unconditionally write out to the enable file without
seeing if it was actually mounted first, and the existence of this file in
turn confused the selinux code of the file type.

So, in short, try deleting /selinux/enable and see if that fixes things.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, February 11, 2009 16:30, chakkerz wrote:
>
> Hello there
>
> So,
> -> what files did you change in puppet, and the OS itself,
Don''t know, precisely.  I don''t believe I made any OS changes.

Let''s see; in puppet I changed firewall.pp to add another flavor
(sub-class), and added an iptables file for one class.  There should be
one more change, to use this new stuff, but I''m looking at viewvc right
now and not finding it.
> -> what''s the output of sestatus?
That command produces "disabled".  Is that any different from the
information I included in my original post?  I said:
>> /selinux contains only a single file, enable, which contains the
>> character 0.  Selinux is in fact disabled.
(That''s a cut and paste from where you quoted it in your message.)

And I believe the rest of your advice is based on the assumption that
it''s
an selinux problem, which I don''t believe is possible since
I''m in
disabled mode.
>
> Easiest way to start is probably to do a `setenforce 0` (which will
> put you into permissive) and see if that fixes things.
>
> Also ensure auditd and setroubleshoot are running and check the /var/
> log/audit/* and /var/log/messages files for the errors. I believe the
> audit logs should give you a command to run that tells you how to fix
> the problem... this is of course assuming you are running with selinux
> enabled and enforcing (from memory though CentOS does do that by
> default...).
>
> Cheers
> chakkerz
>
> On Feb 12, 8:20 am, "David Dyer-Bennet" <d...@dd-b.net>
wrote:
>> Darned thing is suddenly failing.  We had a reboot last night, and I
>> changed a couple of files today too, so either one could somehow be
>> responsible.  But I can''t figure out how from this crash.
 First I
>> noticed
>> that my changes weren''t updating.  Then I noticed that puppet
wasn''t
>> running.  Then I found that it won''t, in fact, run.
>>
>> /selinux contains only a single file, enable, which contains the
>> character
>> 0.  Selinux is in fact disabled.
>>
>> I''m running puppet-0.24.6-1.el5 on Centos 5.2.
>>
>> [ddb@prcapp02 ~]$ sudo service puppet start
>> Starting puppet:
>> /usr/lib/ruby/site_ruby/1.8/puppet/util/settings.rb:735:in
`use'': Got 16
>> failure(s) while initializing: change from absent to system_u failed:
>> Execution of ''/usr/bin/chcon -h -u system_u
/var/log/puppet'' returned 1:
>> /usr/bin/chcon: can''t apply partial context to unlabeled file
>> /var/log/puppet (RuntimeError)
>> ; change from absent to object_r%

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Thu, February 12, 2009 10:34, Frank Sweetser wrote:
>
> David Dyer-Bennet wrote:
>> Darned thing is suddenly failing.  We had a reboot last night, and I
>> changed a couple of files today too, so either one could somehow be
>> responsible.  But I can''t figure out how from this crash. 
First I
>> noticed
>> that my changes weren''t updating.  Then I noticed that puppet
wasn''t
>> running.  Then I found that it won''t, in fact, run.
>>
>> /selinux contains only a single file, enable, which contains the
>> character
>> 0.  Selinux is in fact disabled.
>
> Normally, /selinux is a proc-like filesystem which contains information
> about
> the state of selinux.  If you have selinux completely disabled, though, it
> shouldn''t be mounted at all, and so should be completely empty. 
This
> sounds
> like something tried to unconditionally write out to the enable file
> without
> seeing if it was actually mounted first, and the existence of this file in
> turn confused the selinux code of the file type.
Are you sure?  There''s no sign of it, it doesn''t show up in
mount output
as proc does, and all the files in it LOOK ordinary.

If I delete /selinux/enforce, nothing that I can tell changes.  Sestatus
still returns "disabled".  /selinux is still present as a directory.

-- 
David Dyer-Bennet, dd-b@dd-b.net; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

David Dyer-Bennet wrote:
> 
> On Thu, February 12, 2009 10:34, Frank Sweetser wrote:
>> David Dyer-Bennet wrote:
>>> Darned thing is suddenly failing.  We had a reboot last night, and
I
>>> changed a couple of files today too, so either one could somehow be
>>> responsible.  But I can''t figure out how from this crash. 
First I
>>> noticed
>>> that my changes weren''t updating.  Then I noticed that
puppet wasn''t
>>> running.  Then I found that it won''t, in fact, run.
>>>
>>> /selinux contains only a single file, enable, which contains the
>>> character
>>> 0.  Selinux is in fact disabled.
>> Normally, /selinux is a proc-like filesystem which contains information
>> about
>> the state of selinux.  If you have selinux completely disabled, though,
it
>> shouldn''t be mounted at all, and so should be completely
empty.  This
>> sounds
>> like something tried to unconditionally write out to the enable file
>> without
>> seeing if it was actually mounted first, and the existence of this file
in
>> turn confused the selinux code of the file type.
> 
> Are you sure?  There''s no sign of it, it doesn''t show up
in mount output
> as proc does, and all the files in it LOOK ordinary.
> 
> If I delete /selinux/enforce, nothing that I can tell changes.  Sestatus
> still returns "disabled".  /selinux is still present as a
directory.
Essentially, I think that puppet is having exactly the same confusion that you
are =)

Puppet tests for the existence of the file /selinux/enforce to determine if
selinux is enabled.  Here''s what it sounds like happened.

1. Selinux was administratively disabled.
2. This in turn caused the /selinux special filesystem to be unmounted.
3. At this point, something (administrator slip, broken script, etc) created
the plain old regular file /selinux/enforce
4. Puppet tests for /selinux/enforce and, finding it, mistakenly believes that
selinux is enabled, so tries to use it and fails

If this is correct, the fix is to simply delete /selinux/enforce so that
puppet correctly detects that selinux is disabled.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---