And an error that arose in the past hour which I just figured out
needed this access:
allow httpd_t puppet_var_lib_t:file append;
G'night,
Dave
--
David Chin, Ph.D.
[email protected] High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: [email protected] Google Talk: [email protected]
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 13, 2012 at 01:30, David Chin <[email protected]> wrote:
> Some details on how I fixed it. There were also lots of mod_passenger
> SELinux issues that were fixed, too. I didn't pick out the specific
> subset of issues that only fixed Puppet.
>
> Credit due to: http://skippy.net/puppet-subversion-selinux
>
> # setsebool -P allow_ypbind 1
> # ausearch -m avc | audit2allow -r > puppet_passenger.te
> # mkdir -p /usr/share/selinux/packages/puppet_passenger
> # mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger
> # cd /usr/share/selinux/packages/puppet_passenger
> # checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te
> checkmodule: loading policy configuration from puppet_passenger.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 10) to
> puppet_passenger.mod
> # semodule_package -o puppet_passenger.pp -m puppet_passenger.mod
> # semodule -i puppet_passenger.pp
>
> The specific issues that arose from httpd_t's need for access to
> puppet stuff were:
>
> allow httpd_t puppet_var_lib_t:dir { write read create add_name };
> allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write };
>
> Hope that helps,
> Dave
> --
> David Chin, Ph.D.
> [email protected] High Performance Computing Systems Analyst
> Office: +1.336.758.2964 Wake Forest University
> Mobile: +1.336.608.0793 Winston-Salem, NC
> Email-to-txt: [email protected] Google Talk: [email protected]
> Web: http://www.wfu.edu/~chindw
> https://plus.google.com/108169173177119739731/about
>
>
>
> On Mon, Jan 9, 2012 at 11:31, David Chin <[email protected]> wrote:
>> Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
>>
>> Cheers,
>> Dave
>> --
>> David Chin, Ph.D.
>> [email protected] High Performance Computing Systems Analyst
>> Office: +1.336.758.2964 Wake Forest University
>> Mobile: +1.336.608.0793 Winston-Salem, NC
>> Email-to-txt: [email protected] Google Talk: [email protected]
>> Web: http://www.wfu.edu/~chindw
>> https://plus.google.com/108169173177119739731/about
>>
>>
>>
>> On Fri, Jan 6, 2012 at 17:04, David Chin <[email protected]> wrote:
>>> Hello,
>>>
>>> I'm new to puppet, and am working through the Pro Puppet book
>>> (Turnbull & McCune). After a bit of struggling, I managed to get
>>> puppet + passenger + apache mostly working: a simple connect to the
>>> server on https port 8140 gives "The environment must be purely
>>> alphanumeric, not ''"
>>>
>>> Here is what I have running:
>>> - RedHat Enterprise Linux 6
>>> - httpd 2.2.15-15.el6
>>> - puppet 2.7.9-1.el6
>>> - puppet-server 2.7.9-1.el6
>>> - mod_passenger 3.0.11-1.el6
>>> - rubygem-rack 1.1.0-2.el6
>>> - facter 1.6.4-1.el6
>>>
>>> I'm sanitizing data here by using "puppet.example.com" as the server
>>> name.
>>>
>>> My /etc/puppet/puppet.conf has:
>>> [main]
>>> server = puppet.example.com
>>>
>>> On the puppet server, I am trying to test by doing: puppet agent --
>>> verbose --debug --test
>>>
>>> I get the error message:
>>>
>>> err: Could not retrieve catalog from remote server: Error 400 on
>>> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
>>> puppet.example.com.yaml
>>> warning: Not using cache on failed catalog
>>> err: Could not retrieve catalog; skipping run
>>>
>>> Permissions on /var/lib/puppet/yaml/facts:
>>>
>>> drwxr-x---. puppet puppet
>>> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>>>
>>> I manually created the .yaml file by doing: facter -y > ${factsdir}/$
>>> (facter fqdn).yaml
>>>
>>> Thanks in advance for any pointers.
>>>
>>> Cheers,
>>> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
