I am setting up some machines with SELinux in enforcing mode and have
the following class set up.
class symphony-selinux inherits selinux-enforcing
{
exec {"semanage-sec_ego":
command => "semanage fcontext -a -t textrel_shlib_t
''/opt/ego/1.2/linux2.6-glibc2.3-x86/lib/sec_ego_default.so''",
unless => "semanage fcontext -l | grep -q
''^/opt/ego/1.2/linux2.6-glibc2.3-x86/lib/sec_ego_default.so''",
require => File["/etc/selinux/config"]
}
exec {"restore-con-sec_ego":
command => "restorecon -R
/opt/ego/1.2/linux2.6-glibc2.3-x86/lib/sec_ego_default.so",
unless => "ls -Z
/opt/ego/1.2/linux2.6-glibc2.3-x86/lib/sec_ego_default.so | grep -q
textrel_shlib_t",
require => Exec["semanage-sec_ego"]
}
}
This works perfectly but.. I get some nastygrams in
/var/log/audit/audit.log that I do not know how to handle. Has anyone
come across this sort of problem before and worked out a solution?
Despite the audit messages, puppet does still appear to be doing what I
ask even though the sealert message says it was denied and selinux is in
enforcing mode. The problem that I face in getting rid of these messages
is that it refers to /tmp/puppet.$PID.0 and this obviously changes in
each puppet run.
sealert says this:
Summary:
SELinux is preventing the semanage from using potentially mislabeled files
(/tmp/puppet.15234.0).
Detailed Description:
SELinux has denied semanage access to potentially mislabeled file(s)
(/tmp/puppet.15234.0). This means that SELinux will not allow semanage
to use
these files. It is common for users to edit files in their home
directory or tmp
directories and then move (mv) them to system directories. The problem
is that
the files end up with the wrong file context which confined applications
are not
allowed to access.
Allowing Access:
If you want semanage to access this files, you need to relabel them using
restorecon -v ''/tmp/puppet.15234.0''. You might want to relabel
the entire
directory using restorecon -R -v ''/tmp''.
Additional Information:
Source Context user_u:system_r:semanage_t
Target Context user_u:object_r:tmp_t
Target Objects /tmp/puppet.15234.0 [ file ]
Source semanage
Source Path /usr/bin/python
Port <Unknown>
Host <Unknown>
Source RPM Packages python-2.4.3-24.el5_3.6
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name galap002
Platform Linux myhost 2.6.18-128.2.1.el5 #1 SMP Tue Jul
14 06:39:56 EDT 2009 i686 i686
Alert Count 1
First Seen Thu Jul 30 11:25:13 2009
Last Seen Thu Jul 30 11:25:13 2009
Local ID 8086b700-d393-48da-b681-7b2215acb24b
Line Numbers 8482, 8483
Raw Audit Messages
type=AVC msg=audit(1248953113.972:3457): avc: denied { write } for
pid=15821 comm="semanage" path="/tmp/puppet.15234.0"
dev=dm-1 ino=14
scontext=user_u:system_r:semanage_t:s0 tcontext=user_u:object_r:tmp_t:s0
tclass=file
type=SYSCALL msg=audit(1248953113.972:3457): arch=40000003 syscall=11
success=yes exit=0 a0=9bd0ee8 a1=9bd1380 a2=9bd1280 a3=40 items=0
ppid=15234 pid=15821 auid=525 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=443 comm="semanage"
exe="/usr/bin/python"
subj=user_u:system_r:semanage_t:s0 key=(null)
Thanks for any help and advice.
--
Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK
OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351
.................................................
www.calypso.com
This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.
* P * /*/ Please consider the environment before printing this e-mail /*/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---