Package: puppet-master Version: 5.5.22-2 Severity: normal Tags: patch upstream
# ps axZ|grep pupp system_u:system_r:initrc_t:s0 1351 ? Ssl 0:00 /usr/bin/ruby /usr/bin/puppet master Because the same program /usr/bin/puppet is used for starting the agent and the master we can't get the correct SE Linux domain via an automatic domain transition. So puppet ends up in initrc_t which is not the desired domain. [Service] SELinuxContext=system_u:system_r:puppetmaster_t:s0 If the above is put in /lib/systemd/system/puppet-master.service then systemd will assign the correct context if SE Linux is active and it will ignore it if SE Linux is not active. There is no downside to this for people who don't use SE Linux, but it is a benefit for those who do. Currently SE Linux users need to run "systemctl edit puppet-master.service" to put an override for this. system_u:system_r:puppetmaster_t:s0 2668 ? Ssl 0:00 /usr/bin/ruby /usr/bin/puppet master The above is the desired result in the output of "ps axZ". -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages puppet-master depends on: ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii puppet 5.5.22-2 ii ruby 1:2.7+2 puppet-master recommends no packages. puppet-master suggests no packages. -- no debconf information
