[PUP-2413] Attempting to log the output of service initialization on CentOS 6.5 causes SELinux violations Created: 2014/05/01  Updated: 2018/09/26

Status: Accepted
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Logan Attwood Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: selinux
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

CentOS 6.5
Puppet 3.5.0

Team: Platform OS
UX Priority: Normal


It looks like puppet is creating a file in /tmp to connect to the stdout of service httpd start to. Out of the box CentOS 6 (and I can only assume RHEL 6) does not permit Apache to write to /tmp, causing an SELinux violation similar to the following:

kernel: type=1400 audit(1398909812.247:10): avc: denied

{ read write }

for pid=20375 comm="httpd" path="/tmp/puppet20140501-19869-xtobvy-0" dev=xvde ino=18584 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file

I suspect this had to do with bringing the service resource providers up to feature parity with the exec resource providers.

The workaround would be to accept not getting Apache's startup output when using Puppet, or create an selinux module to permit apache writing to /tmp.

Generated at Sat Dec 14 16:00:24 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.