[selinux] Re: Puppet 3 troubles on F19

Daniel J Walsh dwalsh at redhat.com
Mon Aug 5 15:10:06 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/03/2013 04:26 AM, Robin Lee Powell wrote:
> On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote:
>> On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
>>>> On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
>>>>> Could you please open a new bug with updated paths.
>>>> 
>>>> If it was just a matter of changing paths, I wouldn't have bothered
>>>> with the email :).
>>>> 
>>>> What used to be puppetd is now run as "puppet agent", and what used
>>>> to be run as puppetmasterd is now run as "puppet master". There are a
>>>> bunch of other options too.
>>>> 
>>>> This could, I guess, be fixed by having wrapper scripts to get to the
>>>> old functions, but the systemd config does, in fact, do it the new
>>>> way: ExecStart=/usr/bin/puppet master
>>>> 
>>>> I have no idea, at all, how to handle this properly.
>>> 
>>> Well if we want to get separation between the master and the agent we
>>> will either need different entrypoints into the domain (Scripts).   Or
>>> we will need to build SELinux knowledge into puppet.
>>> 
>>> Another solution would be to just make puppet into a single (very 
>>> powerful domain).  One thing we have talked about with puppet was to
>>> make i easy to extend puppetd policy to allow it to manage certain
>>> domains.  puppetd_t would be an unconfined domain but if you disabled
>>> the unconfined module then you would use a tool like sepolicy generate
>>> to generate policy modules for the domains puppetd_t will be
>>> administrating.
>> 
>> Making puppet into a one giant super domain would be by far the easiest,
>> since it would also cover things like "puppet apply", where puppet is
>> used to run a puppet script file.
>> 
>> What's the right way for me to present a patch for this?  Is there a 
>> github or something for the current policy?
> 
> Help, please.  Is there any docs on how to submit policy patches?
> 
> -Robin
> 

If we just change the label on /usr/bin/puppet to puppetmaster_exec_t what
happens?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH/wE4ACgkQrlYvE4MpobOmxQCgqii/Wbc5Bk0MeAfJMFcaJcMl
z88AnjjVxJD5D7kEcFfqtpgNNCAo3bGm
=v+hz
-----END PGP SIGNATURE-----

More information about the selinux mailing list