[selinux] Re: Puppet 3 troubles on F19

[Robin Lee Powell]

On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
> On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
> > On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
> >> Could you please open a new bug with updated paths.
> > 
> > If it was just a matter of changing paths, I wouldn't have
> > bothered with the email :).
> > 
> > What used to be puppetd is now run as "puppet agent", and what
> > used to be run as puppetmasterd is now run as "puppet master".
> > There are a bunch of other options too.
> > 
> > This could, I guess, be fixed by having wrapper scripts to get
> > to the old functions, but the systemd config does, in fact, do
> > it the new way: ExecStart=/usr/bin/puppet master
> > 
> > I have no idea, at all, how to handle this properly.
> 
> Well if we want to get separation between the master and the agent
> we will either need different entrypoints into the domain
> (Scripts).   Or we will need to build SELinux knowledge into
> puppet.
> 
> Another solution would be to just make puppet into a single (very
> powerful domain).  One thing we have talked about with puppet was
> to make i easy to extend puppetd policy to allow it to manage
> certain domains.  puppetd_t would be an unconfined domain but if
> you disabled the unconfined module then you would use a tool like
> sepolicy generate to generate policy modules for the domains
> puppetd_t will be administrating.

Making puppet into a one giant super domain would be by far the
easiest, since it would also cover things like "puppet apply", where
puppet is used to run a puppet script file.

What's the right way for me to present a patch for this?  Is there a
github or something for the current policy?

-Robin