[selinux] Re: Puppet 3 troubles on F19
Daniel J Walsh
dwalsh at redhat.com
Mon Aug 5 15:10:06 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/03/2013 04:26 AM, Robin Lee Powell wrote:
> On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote:
>> On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
>>>> On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
>>>>> Could you please open a new bug with updated paths.
>>>>
>>>> If it was just a matter of changing paths, I wouldn't have bothered
>>>> with the email :).
>>>>
>>>> What used to be puppetd is now run as "puppet agent", and what used
>>>> to be run as puppetmasterd is now run as "puppet master". There are a
>>>> bunch of other options too.
>>>>
>>>> This could, I guess, be fixed by having wrapper scripts to get to the
>>>> old functions, but the systemd config does, in fact, do it the new
>>>> way: ExecStart=/usr/bin/puppet master
>>>>
>>>> I have no idea, at all, how to handle this properly.
>>>
>>> Well if we want to get separation between the master and the agent we
>>> will either need different entrypoints into the domain (Scripts). Or
>>> we will need to build SELinux knowledge into puppet.
>>>
>>> Another solution would be to just make puppet into a single (very
>>> powerful domain). One thing we have talked about with puppet was to
>>> make i easy to extend puppetd policy to allow it to manage certain
>>> domains. puppetd_t would be an unconfined domain but if you disabled
>>> the unconfined module then you would use a tool like sepolicy generate
>>> to generate policy modules for the domains puppetd_t will be
>>> administrating.
>>
>> Making puppet into a one giant super domain would be by far the easiest,
>> since it would also cover things like "puppet apply", where puppet is
>> used to run a puppet script file.
>>
>> What's the right way for me to present a patch for this? Is there a
>> github or something for the current policy?
>
> Help, please. Is there any docs on how to submit policy patches?
>
> -Robin
>
If we just change the label on /usr/bin/puppet to puppetmaster_exec_t what
happens?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlH/wE4ACgkQrlYvE4MpobOmxQCgqii/Wbc5Bk0MeAfJMFcaJcMl
z88AnjjVxJD5D7kEcFfqtpgNNCAo3bGm
=v+hz
-----END PGP SIGNATURE-----
More information about the selinux
mailing list