Package: puppet Version: 5.5.22-2 Severity: normal Tags: patch upstream # ps axZ|grep pupp system_u:system_r:initrc_t:s0 1603 ? Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent
Because the same program /usr/bin/puppet is used for starting the agent and the master we can't get the correct SE Linux domain via an automatic domain transition. So puppet ends up in initrc_t which is not the desired domain. [Service] SELinuxContext=system_u:system_r:puppet_t:s0 If the above is put in /lib/systemd/system/puppet.service then systemd will assign the correct context if SE Linux is active and it will ignore it if SE Linux is not active. There is no downside to this for people who don't use SE Linux, but it is a benefit for those who do. Currently SE Linux users need to run "systemctl edit puppet.service" to put an override for this. system_u:system_r:puppet_t:s0 1683 ? Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent The above is the desired result in the output of "ps axZ". -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages puppet depends on: ii adduser 3.118 ii facter 3.14.12-1+b2 ii hiera 3.2.0-2.1 ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii ruby 1:2.7+2 ii ruby-augeas 1:0.5.0-3+b8 ii ruby-deep-merge 1.1.1-1 ii ruby-shadow 2.5.0-1+b4 Versions of packages puppet recommends: pn debconf-utils <none> ii lsb-release 11.1.0 pn ruby-selinux <none> Versions of packages puppet suggests: pn ruby-hocon <none> pn ruby-rrd <none> -- no debconf information
