Bug #15567
Document use of PuppetDB with SELinux
| Status: | Accepted | Start date: | 07/17/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | - | |||
| Target version: | - | |||
| Keywords: | Affected PuppetDB version: | |||
| Branch: | ||||
Description
From the mailing list:
I've configured puppet to use storedconfigs and puppetDB, If I start the puppet master using the init script puppetmaster I get a permission denied error when a node connects: Master: [root@puppet ~]# service puppetmaster start Starting puppetmaster: [ OK ] Node: [root@puppet-slave ~]# puppet agent --test err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppet-slave.test.net to PuppetDB at puppet.test.net:8081: Permission denied - connect(2) warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run If I start the puppet master using the script puppet command, it works fine: Master: [root@puppet ~]# puppet master start Node: [root@puppet-slave ~]# puppet agent --test info: Caching catalog for puppet-slave.test.net info: Applying configuration version '1340967639' notice: /Stage[main]/Drupal/Exec[install-drupal]/returns: executed successfully notice: Finished catalog run in 17.72 seconds Anyone come across this behaviour before, or found a solution? All packages are from RPM installs (except ruby gems for pupetdb....) [root@puppet ~]# rpm -qa | grep puppet puppet-server-2.7.17-1.el6.noarch puppetlabs-release-6-1.noarch puppet-2.7.17-1.el6.noarch puppetdb-0.9.1-2.el6.noarch puppetdb-terminus-0.9.1-2.el6.noarch
I think that, at a minimum, we should document in the installation docs what ports and permissions need to be there for puppetdb to work in an selinux environment.
History
#1
Updated by Maura Dailey 11 months ago
module puppetdb 1.0;
require {
type puppetmaster_t;
type port_t;
class tcp_socket name_connect;
}
#============= puppetmaster_t ==============
allow puppetmaster_t port_t:tcp_socket name_connect;
This was sufficient for me to get puppetmaster to talk to puppetdb on my RHEL 6.3 machine running the targeted policy and using the normal init.d script. Obviously, this is fairly loose (it was generated automatically by audit2allow). There is an selinux boolean puppetmaster_use_db, but this appears to only be used when talking directly to mysql or postgres, not through puppetdb. It may be possible to apply a patch to extend this boolean.
The normal puppet selinux module has been sufficient for nearly everything else, but it requires that several default directories be changed (logdir, rundir, ssldir, classfile, and and localconfig). The puppet rpm from puppetlabs repo provides a correct configuration file.
#2
Updated by John Hogenmiller 11 months ago
I think this should apply to Puppet directly. It also affects puppet-dashboard. When running puppetmaster as a service (and not as root in debug mode), you are unable to submit reports to puppet-dashboard.
messages:
Jul 25 10:15:16 puppetmasterj puppet-master[11988]: Compiled catalog for puppet2.lab in environment production in 1.16 seconds
Jul 25 10:15:17 puppetmasterj puppet-master[11988]: Report processor failed: Permission denied - connect(2)
audit.log:
type=AVC msg=audit(1343225819.078:1582): avc: denied { name_connect } for pid=11988 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
Here’s some slightly more detailed steps on correcting this (thought I called mine puppetmaster instead of puppetdb). After typing audit2allow, you can paste in the log entry and use [Ctr]+[D] on a blank line. Aternatively, you can grep the audit.log for the specific issue and pipe it through audit2allow.
[root@puppetmasterj tmp]# audit2allow -m puppetmaster
type=AVC msg=audit(1343232143.497:1617): avc: denied { name_connect } for pid=12552 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
module puppetmaster 1.0;
require {
type puppetmaster_t;
type ntop_port_t;
class tcp_socket name_connect;
}
#============= puppetmaster_t ==============
allow puppetmaster_t ntop_port_t:tcp_socket name_connect;
[root@puppetmasterj tmp]# audit2allow -M puppetmaster
type=AVC msg=audit(1343232143.497:1617): avc: denied { name_connect } for pid=12552 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i puppetmaster.pp
[root@puppetmasterj tmp]# semodule -i puppetmaster.pp
#3
Updated by Deepak Giridharagopal 9 months ago
- Status changed from Unreviewed to Accepted