[selinux] Re: Puppet 3 troubles on F19

Robin Lee Powell rlpowell at digitalkingdom.org
Sat Aug 3 08:26:40 UTC 2013 

On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote:
> On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> > 
> > On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
> > > On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
> > >> Could you please open a new bug with updated paths.
> > > 
> > > If it was just a matter of changing paths, I wouldn't have
> > > bothered with the email :).
> > > 
> > > What used to be puppetd is now run as "puppet agent", and what
> > > used to be run as puppetmasterd is now run as "puppet master".
> > > There are a bunch of other options too.
> > > 
> > > This could, I guess, be fixed by having wrapper scripts to get
> > > to the old functions, but the systemd config does, in fact, do
> > > it the new way: ExecStart=/usr/bin/puppet master
> > > 
> > > I have no idea, at all, how to handle this properly.
> > 
> > Well if we want to get separation between the master and the agent
> > we will either need different entrypoints into the domain
> > (Scripts).   Or we will need to build SELinux knowledge into
> > puppet.
> > 
> > Another solution would be to just make puppet into a single (very
> > powerful domain).  One thing we have talked about with puppet was
> > to make i easy to extend puppetd policy to allow it to manage
> > certain domains.  puppetd_t would be an unconfined domain but if
> > you disabled the unconfined module then you would use a tool like
> > sepolicy generate to generate policy modules for the domains
> > puppetd_t will be administrating.
> 
> Making puppet into a one giant super domain would be by far the
> easiest, since it would also cover things like "puppet apply", where
> puppet is used to run a puppet script file.
> 
> What's the right way for me to present a patch for this?  Is there a
> github or something for the current policy?

Help, please.  Is there any docs on how to submit policy patches?

-Robin

-- 
http://intelligence.org/ :  Our last, best hope for a fantastic future.
.i ko na cpedu lo nu stidi vau loi jbopre .i danfu lu na go'i li'u .e
lu go'i li'u .i ji'a go'i lu na'e go'i li'u .e lu go'i na'i li'u .e
lu no'e go'i li'u .e lu to'e go'i li'u .e lu lo mamta be do cu sofybakni li'u

More information about the selinux mailing list