So I just upgraded to F19, which means I get Puppet 3 (yay!).
I'm running with unconfined disabled.
Unfortunately, it looks like the policy hasn't been updated for
puppet in quite a while. For example, from
serefpolicy-contrib-3.12.1/puppet.fc (which I got from
selinux-policy-3.12.1-66.fc19.src.rpm ) I see:
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
/usr/sbin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
Not a one of those files exists anymore.
This means that things go quite poorly. For example, "sudo
systemctl restart puppetmaster.service" gets me:
type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc: denied { open } for pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(07/29/2013 22:07:49.780:2300368) : avc: denied { read } for pid=28302 comm=ruby-mri name=ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
----
type=AVC msg=audit(07/29/2013 22:07:49.780:2300369) : avc: denied { ioctl } for pid=28302 comm=ruby-mri path=/var/lib/puppet/ssl/ca/ca_key.pem dev="dm-1" ino=401335 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
----
type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc: denied { create } for pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=file
type=AVC msg=audit(07/29/2013 22:07:49.966:2300370) : avc: denied { add_name } for pid=28307 comm=ruby-mri name=master.pid scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_var_run_t:s0 tclass=dir
----
type=SOCKADDR msg=audit(07/29/2013 22:07:49.982:2300371) : saddr=inet host:0.0.0.0 serv:8140
type=AVC msg=audit(07/29/2013 22:07:49.982:2300371) : avc: denied { name_bind } for pid=28307 comm=ruby-mri src=8140 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:puppet_port_t:s0 tclass=tcp_socket
because it's running as initrc_t instead of puppetmaster_t:
system_u:system_r:initrc_t:s0 puppet 28307 0.0 0.5 309556 43464 ? Ssl 22:07 0:00 /usr/bin/ruby-mri /usr/bin/puppet master
My knowledge of puppet is considerable, but my selinux is only
decent. In particular, the Right Thing here is for the systemd
launch of puppetmaster to put things into the right context, but
I've no idea how to accomplish that.
Is there someone I can work with to fix up this policy?
-Robin