The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #15567

Document use of PuppetDB with SELinux

Added by Deepak Giridharagopal almost 2 years ago. Updated 5 months ago.

Status:AcceptedStart date:07/17/2012
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Keywords: Affected PuppetDB version:
Branch:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PDB-137


Description

From the mailing list:

I've configured puppet to use storedconfigs and puppetDB,
If I start the puppet master using the init script puppetmaster I get a permission denied error when a node connects:

Master:
[root@puppet ~]# service puppetmaster start
Starting puppetmaster:                                     [  OK  ]

Node:
[root@puppet-slave ~]# puppet agent --test
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppet-slave.test.net to PuppetDB at puppet.test.net:8081: Permission denied - connect(2)
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

If I start the puppet master using the script puppet command, it works fine:

Master:
[root@puppet ~]# puppet master start

Node:
[root@puppet-slave ~]# puppet agent --test
info: Caching catalog for puppet-slave.test.net
info: Applying configuration version '1340967639'
notice: /Stage[main]/Drupal/Exec[install-drupal]/returns: executed successfully
notice: Finished catalog run in 17.72 seconds

Anyone come across this behaviour before, or found a solution?

All packages are from RPM installs (except ruby gems for pupetdb....)

[root@puppet ~]# rpm -qa | grep puppet
puppet-server-2.7.17-1.el6.noarch
puppetlabs-release-6-1.noarch
puppet-2.7.17-1.el6.noarch
puppetdb-0.9.1-2.el6.noarch
puppetdb-terminus-0.9.1-2.el6.noarch

I think that, at a minimum, we should document in the installation docs what ports and permissions need to be there for puppetdb to work in an selinux environment.

History

#1 Updated by Maura Dailey almost 2 years ago

module puppetdb 1.0;
require {
    type puppetmaster_t;
    type port_t;
    class tcp_socket name_connect;
}
#============= puppetmaster_t ==============
allow puppetmaster_t port_t:tcp_socket name_connect;

This was sufficient for me to get puppetmaster to talk to puppetdb on my RHEL 6.3 machine running the targeted policy and using the normal init.d script. Obviously, this is fairly loose (it was generated automatically by audit2allow). There is an selinux boolean puppetmaster_use_db, but this appears to only be used when talking directly to mysql or postgres, not through puppetdb. It may be possible to apply a patch to extend this boolean.

The normal puppet selinux module has been sufficient for nearly everything else, but it requires that several default directories be changed (logdir, rundir, ssldir, classfile, and and localconfig). The puppet rpm from puppetlabs repo provides a correct configuration file.

#2 Updated by John Hogenmiller over 1 year ago

I think this should apply to Puppet directly. It also affects puppet-dashboard. When running puppetmaster as a service (and not as root in debug mode), you are unable to submit reports to puppet-dashboard.

messages:

Jul 25 10:15:16 puppetmasterj puppet-master[11988]: Compiled catalog for puppet2.lab in environment production in 1.16 seconds
Jul 25 10:15:17 puppetmasterj puppet-master[11988]: Report processor failed: Permission denied - connect(2)

audit.log:

type=AVC msg=audit(1343225819.078:1582): avc:  denied  { name_connect } for  pid=11988 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket

Here’s some slightly more detailed steps on correcting this (thought I called mine puppetmaster instead of puppetdb). After typing audit2allow, you can paste in the log entry and use [Ctr]+[D] on a blank line. Aternatively, you can grep the audit.log for the specific issue and pipe it through audit2allow.

[root@puppetmasterj tmp]# audit2allow -m puppetmaster
type=AVC msg=audit(1343232143.497:1617): avc:  denied  { name_connect } for  pid=12552 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket

module puppetmaster 1.0;

require {
    type puppetmaster_t;
    type ntop_port_t;
    class tcp_socket name_connect;
}

#============= puppetmaster_t ==============
allow puppetmaster_t ntop_port_t:tcp_socket name_connect;
[root@puppetmasterj tmp]# audit2allow -M puppetmaster
type=AVC msg=audit(1343232143.497:1617): avc:  denied  { name_connect } for  pid=12552 comm="puppetmasterd" dest=3000 scontext=unconfined_u:system_r:puppetmaster_t:s0 tcontext=system_u:object_r:ntop_port_t:s0 tclass=tcp_socket
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i puppetmaster.pp

[root@puppetmasterj tmp]# semodule -i puppetmaster.pp

#3 Updated by Deepak Giridharagopal over 1 year ago

  • Status changed from Unreviewed to Accepted

Also available in: Atom PDF