told puppet to put a file in /root/.ssh/ file was not relabeled. Reproducible: Always Actual Results: type=AVC msg=audit(1312231148.723:62): avc: denied { name_connect } for pid=1733 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket type=SYSCALL msg=audit(1312231148.723:62): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=6a9215f8aa0 a2=1c a3=7b6b515c19f8 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1312231148.723:63): avc: denied { name_connect } for pid=1733 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket type=SYSCALL msg=audit(1312231148.723:63): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=6a9214a4220 a2=10 a3=7b6b515c19f8 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1312231150.345:64): avc: denied { relabelfrom } for pid=1733 comm="puppetd" name="authorized_keys" dev=vda3 ino=6678 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ssh_home_t tclass=file type=SYSCALL msg=audit(1312231150.345:64): arch=c000003e syscall=189 success=no exit=-13 a0=6a920b05970 a1=70ee11c3d3ba a2=6a922199de0 a3=19 items=0 ppid=1 pid=1733 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) Expected Results: no audit log :D
Is the file in /root/.ssh the authorized_keys file? Because your error shows that puppet_t wants to relabel /from/ ssh_home_t on this file, which is weird since I would expect it to relabel to the proper format ;-) What label did the file get and what did you expect?
It did create the file correctly, but I think that puppet is actually trying to do something odd. This might be an ignorable error.
My puppet log (to /var/log/messages) Aug 10 14:34:01 test puppet-agent[1702]: nss_ldap: failed to bind to LDAP server ldaps://ldap.mthode.org: Can't contact LDAP server Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context root:object_r:user_home_dir_t on /root/.ssh Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context system_u:object_r:ssh_home_t on /root/.ssh Aug 10 14:34:04 test puppet-agent[1702]: (/File[/root/.ssh]/ensure) created Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context root:object_r:user_home_dir_t on /root/.ssh/authorized_keys Aug 10 14:34:04 test puppet-agent[1702]: Failed to set SELinux context system_u:object_r:ssh_home_t on /root/.ssh/authorized_keys Aug 10 14:34:04 test puppet-agent[1702]: (/File[/root/.ssh/authorized_keys]/ensure) defined content as '{md5}ee663dd9f812a1370f820765503d801c' Aug 10 14:34:14 test puppet-agent[1702]: Finished catalog run in 14.54 seconds My audit log type=AVC msg=audit(1313001559.057:7965): avc: denied { name_connect } for pid=1702 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket type=SYSCALL msg=audit(1313001559.057:7965): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=457f932090 a2=1c a3=7e6b0dc78738 items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001559.057:7966): avc: denied { name_connect } for pid=1702 comm="puppetd" dest=636 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:ldap_port_t tclass=tcp_socket type=SYSCALL msg=audit(1313001559.057:7966): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=457e027290 a2=10 a3=7e6b0dc78738 items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001568.628:7967): avc: denied { relabelfrom } for pid=1702 comm="puppetd" name=".ssh" dev=vda3 ino=6155 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=dir type=SYSCALL msg=audit(1313001568.628:7967): arch=c000003e syscall=189 success=no exit=-13 a0=457de94660 a1=76099acf73ba a2=457e4066d0 a3=1e items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001568.631:7968): avc: denied { relabelfrom } for pid=1702 comm="puppetd" name=".ssh" dev=vda3 ino=6155 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=dir type=SYSCALL msg=audit(1313001568.631:7968): arch=c000003e syscall=189 success=no exit=-13 a0=457e423660 a1=76099acf73ba a2=457f032330 a3=1d items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001568.695:7969): avc: denied { relabelfrom } for pid=1702 comm="puppetd" name="authorized_keys" dev=vda3 ino=7037 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=file type=SYSCALL msg=audit(1313001568.695:7969): arch=c000003e syscall=189 success=no exit=-13 a0=457dfb6260 a1=76099acf73ba a2=457e483940 a3=1e items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001568.698:7970): avc: denied { relabelfrom } for pid=1702 comm="puppetd" name="authorized_keys" dev=vda3 ino=7037 scontext=system_u:system_r:puppet_t tcontext=system_u:object_r:user_home_dir_t tclass=file type=SYSCALL msg=audit(1313001568.698:7970): arch=c000003e syscall=189 success=no exit=-13 a0=457bf58b50 a1=76099acf73ba a2=457ec82dd0 a3=1d items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe="/usr/bin/ruby18" subj=system_u:system_r:puppet_t key=(null) type=AVC msg=audit(1313001569.880:7971): avc: denied { read } for pid=8861 comm="nrpe" name="nrpe.cfg" dev=vda3 ino=6958 scontext=system_u:system_r:nrpe_t tcontext=system_u:object_r:nrpe_etc_t tclass=file type=SYSCALL msg=audit(1313001569.880:7971): arch=c000003e syscall=2 success=no exit=-13 a0=43420dd1040 a1=0 a2=1b6 a3=0 items=0 ppid=8860 pid=8861 auid=4294967295 uid=103 gid=110 euid=103 suid=103 fsuid=103 egid=110 sgid=110 fsgid=110 tty=(none) ses=4294967295 comm="nrpe" exe="/usr/bin/nrpe" subj=system_u:system_r:nrpe_t key=(null)
Should be in hardened-dev overlay (selinux-puppet-2.20110726-r1), sadly without the ldap fix in it yet (that'll be part of -r2). The support for relabeling files is handled through the puppet_manage_all_files boolean.
So the only files it cannot relabel are which files?
All files (with attribute file_type) that are not policy_config_t or do not have the security_file_type attribute set. To find out which attributes a particular label has, use seinfo: ~# seinfo -tshadow_t -x If it contains file_type and not security_file_type, and it isn't called policy_config_t, then puppet can relabelto/from it.
Ok, so we can't manage selinux (except though portage) with puppet. At least that is what I am getting. I will not be able to install a pp module (puppet files are called pp too, so this is confusing, I mean selinux), relabel (as I think is required) and then load the module?
in portage tree (~arch)