Fedora 20 Puppet update and SELinux policy

Lukas Zapletal lzap at redhat.com
Tue Apr 22 12:46:33 UTC 2014


we are rolling out update of Puppet to 3.4.3 in Fedora 20 and Rawhide that
adds one important change. We have found that puppet master was running
unconfined, therefore the Puppet SELinux policy was not effective in Fedoras.

The puppet package update fixes one little issue (missing runtime
dependency) and corrects startup wrappers for systemd which puts Puppet
Master into the correct SELinux domain puppetmaster_t. Since this has
some security impact, we have decided to backport this change into
Fedora 20 too.


Until now, puppet master was running unconfined (this is a regression),
the update might need relabelling of the system (/etc/puppet,
/var/lib/puppet) or checking out audit.log. Please help me with testing
this update:

    yum --enablerepo=updates-testing update selinux-policy puppet puppet-server

Thanks for help.


 Lukas "lzap" Zapletal
 irc: lzap #theforeman

More information about the devel mailing list