Issue #1563 has been updated by Jonathan Stanton. Affected version changed from 0.24.5 to 0.24.8
Has anything been planned for this? It's still occurring in the latest packaged version 0.24.8 (EPEL packages don't include 0.25 yet, but from reading the changelog for 0.25 I didn't see a fix) It's a really annoying issue that causes lots of wasted log records that confuse real issues. It appears that some work was done last year on a solution (not just the pipe patch, but also a different approach that moves the puppet temporary files to /var/run/puppet and assigns correct selinux context/policy so there are no warnings. But the last mention of it was in June 2009. The RH bug 460039 at https://bugzilla.redhat.com/show_bug.cgi?id=460039 discusses this issue and says that some efforts were made to move puppet to use /var/run/puppet instead of /tmp. >From Puppet's perspective it almost looks like the only change required is to >switch the puppet/ruby temporary directory to /var/run/puppet. Then the RH >packages can include a selinux policy. ---------------------------------------- Bug #1563: [PATCH] Change Util::Execute to use pipes instead of temporary files for capturing output http://projects.reductivelabs.com/issues/1563 Author: Sean Millichamp Status: Needs more information Priority: High Assigned to: Category: plumbing Target version: unplanned Affected version: 0.24.8 Keywords: SELinux execute Tempfile Branch: Patch attached to fix reported behavior. When triggering Puppet runs which included initscript starts/stops I noticed that I would receive three SELinux AVC denials logged for the process that was being started/stopped for a file of the form /tmp/puppet.$PID.0. Many of the system daemons which ship with CentOS 5 have confined SELinux domains which don't permit access to much of the system - including these Puppet temp files. Trying to figure out where to create the file (and with which context) for every service would be impractical (impossible? some services may not have any context that would be usable for write permissions) so I decided to just rewrite it to use Unix pipes. WorksForMe in my testing. I'm marking this as high because, depending on what commands are being run and their SELinux policies, this could cause command output to silently disappear (other then the denials in the logs). This could be very frustrating for someone who is trying to use that output. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
