Some details on how I fixed it. There were also lots of mod_passenger SELinux issues that were fixed, too. I didn't pick out the specific subset of issues that only fixed Puppet.
Credit due to: http://skippy.net/puppet-subversion-selinux # setsebool -P allow_ypbind 1 # ausearch -m avc | audit2allow -r > puppet_passenger.te # mkdir -p /usr/share/selinux/packages/puppet_passenger # mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger # cd /usr/share/selinux/packages/puppet_passenger # checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te checkmodule: loading policy configuration from puppet_passenger.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 10) to puppet_passenger.mod # semodule_package -o puppet_passenger.pp -m puppet_passenger.mod # semodule -i puppet_passenger.pp The specific issues that arose from httpd_t's need for access to puppet stuff were: allow httpd_t puppet_var_lib_t:dir { write read create add_name }; allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write }; Hope that helps, Dave -- David Chin, Ph.D. [email protected] High Performance Computing Systems Analyst Office: +1.336.758.2964 Wake Forest University Mobile: +1.336.608.0793 Winston-Salem, NC Email-to-txt: [email protected] Google Talk: [email protected] Web: http://www.wfu.edu/~chindw https://plus.google.com/108169173177119739731/about On Mon, Jan 9, 2012 at 11:31, David Chin <[email protected]> wrote: > Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t. > > Cheers, > Dave > -- > David Chin, Ph.D. > [email protected] High Performance Computing Systems Analyst > Office: +1.336.758.2964 Wake Forest University > Mobile: +1.336.608.0793 Winston-Salem, NC > Email-to-txt: [email protected] Google Talk: [email protected] > Web: http://www.wfu.edu/~chindw > https://plus.google.com/108169173177119739731/about > > > > On Fri, Jan 6, 2012 at 17:04, David Chin <[email protected]> wrote: >> Hello, >> >> I'm new to puppet, and am working through the Pro Puppet book >> (Turnbull & McCune). After a bit of struggling, I managed to get >> puppet + passenger + apache mostly working: a simple connect to the >> server on https port 8140 gives "The environment must be purely >> alphanumeric, not ''" >> >> Here is what I have running: >> - RedHat Enterprise Linux 6 >> - httpd 2.2.15-15.el6 >> - puppet 2.7.9-1.el6 >> - puppet-server 2.7.9-1.el6 >> - mod_passenger 3.0.11-1.el6 >> - rubygem-rack 1.1.0-2.el6 >> - facter 1.6.4-1.el6 >> >> I'm sanitizing data here by using "puppet.example.com" as the server >> name. >> >> My /etc/puppet/puppet.conf has: >> [main] >> server = puppet.example.com >> >> On the puppet server, I am trying to test by doing: puppet agent -- >> verbose --debug --test >> >> I get the error message: >> >> err: Could not retrieve catalog from remote server: Error 400 on >> SERVER: Permission denied - /var/lib/puppet/yaml/facts/ >> puppet.example.com.yaml >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> Permissions on /var/lib/puppet/yaml/facts: >> >> drwxr-x---. puppet puppet >> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/ >> >> I manually created the .yaml file by doing: facter -y > ${factsdir}/$ >> (facter fqdn).yaml >> >> Thanks in advance for any pointers. >> >> Cheers, >> -- David Chin -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
