Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2413

Attempting to log the output of service initialization on CentOS 6.5 causes SELinux violations

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      CentOS 6.5
      Puppet 3.5.0

    • Template:
    • Team:
      Platform OS
    • UX Priority:
      Normal

      Description

      It looks like puppet is creating a file in /tmp to connect to the stdout of service httpd start to. Out of the box CentOS 6 (and I can only assume RHEL 6) does not permit Apache to write to /tmp, causing an SELinux violation similar to the following:

      kernel: type=1400 audit(1398909812.247:10): avc: denied

      { read write }

      for pid=20375 comm="httpd" path="/tmp/puppet20140501-19869-xtobvy-0" dev=xvde ino=18584 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

      I suspect this had to do with bringing the service resource providers up to feature parity with the exec resource providers.

      The workaround would be to accept not getting Apache's startup output when using Puppet, or create an selinux module to permit apache writing to /tmp.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                lattwood Logan Attwood
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: