Puppet users - Mar 2013 - Puppet modifying directories by executing shell script as non-root user results in kernel-level insufficient privilege complaints

I am using Puppet 3.1.0 on a CentOS  6.3 machines. The puppet master and 
puppet agents use CentOS 6.3 as their OS. I have a puppet script (init.pp 
file for the puppet module) that contains the following exec type:

exec { "postgres init":

cwd => "/applications/module",

command => "bash initializePostgres.sh",

user => "postgres",

group => "postgres"

}


 As the code alludes to, I am directing puppet to initialize a PostgreSQL 
database via a shell script. cwd changes the working directory to the 
module''s destination, and the initializePostgres shell script is
executed
as user postgres (belonging to group postgres). The puppet agents OS has a 
user postgres belonging to group postgres.

The shell script contains an initdb command that initializes a postgres 
PGDATA directory, and both have the following permissions:

[root@host]# ls -al initializePostgres.sh
-rwxr-x---. 1 postgres postgres 2231 Mar 14 18:04 initializePostgres.sh

[root@host]# ls -ald data
drwxr-xr-x. 2 postgres postgres 4096 Mar 18 17:34 data


When Exec ["postgres init"] is ran, /var/log/messages on the the
puppet
agent has several lines printed similar to the following:
kernel: type=1400 audit(1363697390.681:566): avc:  denied  { read write } 
for  pid=14834 comm="postgres"
path="/tmp/puppet20130319-14620-1wpyixh-0"
dev=dm-0 ino=1702615 scontext=unconf
ined_u:system_r:postgresql_t:s0 
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

Basically, the messages are complaining that user postgres, via the 
execution of initdb PostrgreSQL command, cannot write files to data, the 
destined PGDATA directory, which has proper permissions as shown above by 
the ls -ald data.

So, the problem is that Exec ["postgres init"] does not run as
expected
because the initdb command in the shell script fails to write files to the 
data directory. All the permissions on the files and directories are 
correct and when I do:

[root@host]# su postgres

bash-4.1$ ./initializePostgres.sh

, the script works  correctly without error.

Any help is appreciated.

Thanks,
Brandon

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> [root@host]# su postgres
> 
> bash-4.1$ ./initializePostgres.sh
(in SELinux terms) this is not the same as bash initializePostgres.sh

Maybe try with the following exec:

exec{''postgres init'':
  command => ''/applications/module/initializePostgres.sh'',
  cwd     => ''/applications/module'',
  user	  => ''postgres'',
  group   => ''postgres'',
}

~pete
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFIfR0ACgkQbwltcAfKi3/T9wCdHJuggTF8bouQ/gKk8Fo1AMk3
IeUAnikzl1hWe++U/cvsy/IxwgPHA8nl
=WnuX
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

On 03/19/2013 03:30 PM, Brandon Groves wrote:
> When Exec ["postgres init"] is ran, /var/log/messages on the the
puppet
> agent has several lines printed similar to the following:
> kernel: type=1400 audit(1363697390.681:566): avc:  denied  { read write
> } for  pid=14834 comm="postgres"
> path="/tmp/puppet20130319-14620-1wpyixh-0" dev=dm-0 ino=1702615
> scontext=unconf
> ined_u:system_r:postgresql_t:s0
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
> 
> Basically, the messages are complaining that user postgres, via the
> execution of initdb PostrgreSQL command, cannot write files to data, the
> destined PGDATA directory, which has proper permissions as shown above
> by the ls -ald data.
It really doesn''t. What''s complaining (as Peter has already
advised), is
the SELinux component.

Try ls --context. Perhaps even your policies need tweaking.

HTH,
Felix

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Thanks for the help. I ended up removing the postgres user on the puppet 
agent machine and directing puppet in the module manifest file to create 
the postgres user. And now Exec ["postgres init"] runs properly. 



On Tuesday, March 19, 2013 10:30:09 AM UTC-4, Brandon Groves
wrote:
>
> I am using Puppet 3.1.0 on a CentOS  6.3 machines. The puppet master and 
> puppet agents use CentOS 6.3 as their OS. I have a puppet script (init.pp 
> file for the puppet module) that contains the following exec type:
>
> exec { "postgres init":
>
> cwd => "/applications/module",
>
> command => "bash initializePostgres.sh",
>
> user => "postgres",
>
> group => "postgres"
>
> }
>
>
>  As the code alludes to, I am directing puppet to initialize a PostgreSQL 
> database via a shell script. cwd changes the working directory to the 
> module''s destination, and the initializePostgres shell script is
executed
> as user postgres (belonging to group postgres). The puppet agents OS has a 
> user postgres belonging to group postgres.
>
> The shell script contains an initdb command that initializes a postgres 
> PGDATA directory, and both have the following permissions:
>
> [root@host]# ls -al initializePostgres.sh
> -rwxr-x---. 1 postgres postgres 2231 Mar 14 18:04 initializePostgres.sh
>
> [root@host]# ls -ald data
> drwxr-xr-x. 2 postgres postgres 4096 Mar 18 17:34 data
>
>
> When Exec ["postgres init"] is ran, /var/log/messages on the the
puppet
> agent has several lines printed similar to the following:
> kernel: type=1400 audit(1363697390.681:566): avc:  denied  { read write } 
> for  pid=14834 comm="postgres"
path="/tmp/puppet20130319-14620-1wpyixh-0"
> dev=dm-0 ino=1702615 scontext=unconf
> ined_u:system_r:postgresql_t:s0 
> tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file
>
> Basically, the messages are complaining that user postgres, via the 
> execution of initdb PostrgreSQL command, cannot write files to data, the 
> destined PGDATA directory, which has proper permissions as shown above by 
> the ls -ald data.
>
> So, the problem is that Exec ["postgres init"] does not run as
expected
> because the initdb command in the shell script fails to write files to the 
> data directory. All the permissions on the files and directories are 
> correct and when I do:
>
> [root@host]# su postgres
>
> bash-4.1$ ./initializePostgres.sh
>
> , the script works  correctly without error.
>
> Any help is appreciated.
>
> Thanks,
> Brandon
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.