[Puppet Users] Puppet modifying directories by executing shell script as non-root user results in kernel-level insufficient privilege complaints

[Brandon Groves]

I am using Puppet 3.1.0 on a CentOS  6.3 machines. The puppet master and 
puppet agents use CentOS 6.3 as their OS. I have a puppet script (init.pp 
file for the puppet module) that contains the following exec type:

exec { "postgres init":

cwd => "/applications/module",

command => "bash initializePostgres.sh",

user => "postgres",

group => "postgres"

}


 As the code alludes to, I am directing puppet to initialize a PostgreSQL 
database via a shell script. cwd changes the working directory to the 
module's destination, and the initializePostgres shell script is executed 
as user postgres (belonging to group postgres). The puppet agents OS has a 
user postgres belonging to group postgres.

The shell script contains an initdb command that initializes a postgres 
PGDATA directory, and both have the following permissions:

[root@host]# ls -al initializePostgres.sh
-rwxr-x---. 1 postgres postgres 2231 Mar 14 18:04 initializePostgres.sh

[root@host]# ls -ald data
drwxr-xr-x. 2 postgres postgres 4096 Mar 18 17:34 data


When Exec ["postgres init"] is ran, /var/log/messages on the the puppet 
agent has several lines printed similar to the following:
kernel: type=1400 audit(1363697390.681:566): avc:  denied  { read write } 
for  pid=14834 comm="postgres" path="/tmp/puppet20130319-14620-1wpyixh-0" 
dev=dm-0 ino=1702615 scontext=unconf
ined_u:system_r:postgresql_t:s0 
tcontext=unconfined_u:object_r:initrc_tmp_t:s0 tclass=file

Basically, the messages are complaining that user postgres, via the 
execution of initdb PostrgreSQL command, cannot write files to data, the 
destined PGDATA directory, which has proper permissions as shown above by 
the ls -ald data.

So, the problem is that Exec ["postgres init"] does not run as expected 
because the initdb command in the shell script fails to write files to the 
data directory. All the permissions on the files and directories are 
correct and when I do:

[root@host]# su postgres

bash-4.1$ ./initializePostgres.sh

, the script works  correctly without error.

Any help is appreciated.

Thanks,
Brandon

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.