[Bug]Puppet throwing selinux errors in /var/log/messages

Solution In Progress - Updated -

Environment

  • Red Hat Satellite 6.x

Issue

  • Puppet throwing selinux errors in /var/log/messages.
  • When running puppet agent --test on a client there will be HTTP error:
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>

-In journalctl SYSLOG_IDENTIFIER=puppet-master you can see the selinux errors:

Jul 27 13:10:00 puppet-master[2671]: /etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:puppet_var_lib_t:s0
Jul 27 13:10:01 puppet-master[2671]: failed to set mode 644 on /var/log/puppet/masterhttp.log: Permission denied - /var/log/puppet/masterhttp.log
Jul 27 13:10:01 puppet-master[2671]: (/File[/var/log/puppet/masterhttp.log]/mode) change from 0644 to 0660 failed: failed to set mode 644 on /var/log/puppet/masterhttp.log: Permission denied - /var/log/puppet/masterhttp.
Jul 27 13:10:01 puppet-master[2671]: Could not prepare for execution: Got 1 failure(s) while initializing: File[/var/log/puppet/masterhttp.log]: change from 0644 to 0660 failed: failed to set mode 644 on /var/log/puppet/

Resolution

 # semanage permissive -a puppetagent_t 
  • Please open a Support ticket to get further updates on BUgzilla.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

Error "file_contexts: invalid context " is harmless and discussed in https://access.redhat.com/solutions/2576541

Error change from 0644 to 0660 failed: failed to set mode 644 can be fixed by changing the permissions manually.

I do not believe putting puppet agent to permissive has anything to do with these error messages. Puppet agent should never be running in SELinux enforcing tho, it makes no sense. Previously Red Hat shipped policy for it, but it was removed in newer versions of base SELinux policy.