On Tuesday, June 4, 2013 11:22:22 AM UTC-4, jcbollinger wrote: > > > It's not the cause of your problem, but the master should NOT run as > root. There is no reason why it should need special privilege to do its > work, therefore good security practices dictate that it run without such > privilege. > > If restorecon sets the SELinux labels incorrectly, however, then you need > to teach it what the correct labels ought to be. It is a fundamental > problem for restorecon to disagree with Puppet about what the labels should > be. > > I also find it a little strange that you see those messages repeatedly, > and especially that you see them at 30-minute intervals. Are you running > the master standalone, or via apache/passenger (or some other rack > server)? If the latter, then the rack server may be starting new master > instances periodically, and in that case they might not be running with the > identity and privileges you think. > > >> >> Anyone have any idea why these messages keep popping up? and how to fix >> the problem? Admittedly, I can just change the file labels manually, but >> that doesn't solve the underlying problem. >> >> > You should try updating your selinux policy package to the latest > available. You may need to manually modify your policy, however, as there > were puppet-related bugs in some of the policy packages at least as > recently as Fedora 18, which doesn't bode well for CentOS / RHEL 6.4. See, > for example, https://bugzilla.redhat.com/show_bug.cgi?id=848939. > > > John > > I am running puppet master using apache/passenger, and while some of the Passenger modules run as root, I realize that the puppet master is running as the user puppet. It does seem that each of the messages comes with a different pid, so I'll check to see whats going on. >From what I understand of your reply, the selinux file contexts should be set to what puppet wants, so restorecon needs to be fixed. OK. I am running the latest everything in centos6.4, so the policies are up to date. However, in looking at selinux's file_contexts file, everything should have been set to system_u, just as puppet wanted. I guess the policy updates didn't make it to the files. I forced restorecon to relabel with restorecon -F, and that did the trick.
Thank you very much. Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
