[PUP-2413] Attempting to log the output of service initialization on CentOS 6.5 causes SELinux violations - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Normal
Resolution: Cannot Reproduce
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- platform-os
- selinux
Environment:

CentOS 6.5
Puppet 3.5.0

Team:
Night's Watch

UX Priority:
Normal

Description

It looks like puppet is creating a file in /tmp to connect to the stdout of service httpd start to. Out of the box CentOS 6 (and I can only assume RHEL 6) does not permit Apache to write to /tmp, causing an SELinux violation similar to the following:

kernel: type=1400 audit(1398909812.247:10): avc: denied

{ read write }

for pid=20375 comm="httpd" path="/tmp/puppet20140501-19869-xtobvy-0" dev=xvde ino=18584 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

I suspect this had to do with bringing the service resource providers up to feature parity with the exec resource providers.

The workaround would be to accept not getting Apache's startup output when using Puppet, or create an selinux module to permit apache writing to /tmp.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Logan Attwood

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2014/05/01 8:12 AM

Updated:: 2021/01/26 10:33 PM

Resolved:: 2021/01/26 10:33 PM