Puppet users - Mar 2012 - mcollective/puppetd & RHEL SELinux alert

Hello,
We are running Puppet 2.7.11-2 on RHEL57 x86_64 with MCollective (on client 
and server);
On the client;
# rpm -qa|grep -e puppet -e mcollective
mcollective-common-1.2.1-1.el5
puppet-2.7.11-2.el5
mcollective-1.2.1-1.el5
#
 
with kernel;
Linux <hostname> 2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 15:11:18 EST 2012 
x86_64 x86_64 x86_64 GNU/Linux
 
with SELinux enabled.
# facter|grep sel
selinux => true
selinux_config_mode => enforcing
selinux_config_policy => targeted
selinux_current_mode => enforcing
selinux_enforced => true
selinux_mode => targeted
selinux_policyversion => 21
#


In one of our manifest we set the password for some users. 
When we do a puppet-run from the puppetmaster with the mcollective plugin 
puppetd; ''mco puppetd --wi <hostname>  runonce''
we get the following (reproducible) SELinux Alert.

--------------------------------------------------------------------------------


Summary:

SELinux is preventing the nscd from using potentially mislabeled files
(/tmp/puppet.30676.0).

Detailed Description:

SELinux has denied nscd access to potentially mislabeled file(s)
(/tmp/puppet.30676.0). This means that SELinux will not allow nscd to use 
these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is 
that
the files end up with the wrong file context which confined applications 
are not
allowed to access.

Allowing Access:

If you want nscd to access this files, you need to relabel them using 
restorecon
-v ''/tmp/puppet.30676.0''. You might want to relabel the entire
directory
using
restorecon -R -v ''/tmp''.

Additional Information:

Source Context                system_u:system_r:nscd_t
Target Context                system_u:object_r:initrc_tmp_t
Target Objects                /tmp/puppet.30676.0 [ file ]
Source                        nscd
Source Path                   /usr/sbin/nscd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           nscd-2.5-65.el5_7.1
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-316.el5_7.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     <hostname>
Platform                      Linux <hostname>
                              2.6.18-274.18.1.el5 #1 SMP Fri Jan 20 
15:11:18 EST
                              2012 x86_64 x86_64
Alert Count                   4
First Seen                    Tue Mar 20 17:13:25 2012
Last Seen                     Tue Mar 20 17:13:25 2012
Local ID                      fdec3437-c40e-407e-ab3c-f998cf0a49f5
Line Numbers                  10078, 10079, 10080, 10082, 10083, 10084, 
10085,
                              10086, 10087, 10089, 10090, 10091, 10092, 
10093,
                              10094, 10096, 10097, 10098, 10099, 10100, 
10101,
                              10103, 10104, 10105

Raw Audit Messages

type=AVC msg=audit(1332260005.415:16748): avc:  denied  { read write } for  
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3
ino=13

scontext=system_u:system_r:nscd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

type=AVC msg=audit(1332260005.415:16748): avc:  denied  { read write } for  
pid=31028 comm="nscd" path="/tmp/puppet.30676.0" dev=dm-3
ino=13

scontext=system_u:system_r:nscd_t:s0 
tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

type=SYSCALL msg=audit(1332260005.415:16748): arch=c000003e syscall=59 
success=yes exit=0 a0=40e9de a1=7fff4f96d120 a2=7fff4f96d150 a3=0 items=2 

ppid=31024 pid=31028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="nscd" 

exe="/usr/sbin/nscd" subj=system_u:system_r:nscd_t:s0
key="nscd_called-up"

type=CWD msg=audit(1332260005.415:16748): cwd="/"

type=PATH msg=audit(1332260005.415:16748): item=0
name="/usr/sbin/nscd"
inode=721057 dev=fd:07 mode=0100755 ouid=0 ogid=0 rdev=00:00 

obj=system_u:object_r:nscd_exec_t:s0

type=PATH msg=audit(1332260005.415:16748): item=1 name=(null) inode=196612 
dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 

obj=system_u:object_r:ld_so_t:s0

--------------------------------------------------------------------------------
The problem is that the temporary puppet file (/tmp/puppet.30676.0) gets a 
SELinux label initrc_tmp_t
which the nscd daemon is not allowed to access.
ncsd is default off;
# chkconfig --list nscd
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
# service nscd status
nscd is stopped
#


When we run puppet locally with ''puppet agent -t'' we
don''t get the SELinux
alert, as the temporary puppet file is now written with the tmp_t 

SELinux label.

I''ve talked with Red Hat support about and they say in-the-end, the 
following about it;
>>As I had stated before, the ''puppet'' software is not
provided by Red Hat,
and the SELinux rules required
>>for the current observed access is not available in Red Hat Enterprise 
Linux 5. The vendor of the software
>>has to ensure that the software is built to adhere to the current
SELinux
policy rules available in Red Hat Enterprise Linux 5.

They also mention it is fixed in RHEL6 but that''s not an option (yet).

Anyone has a fix for it on RHEL5?

Regards,
Stefan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/VsRNiYlOpgYJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.