Hi
Does Puppet Enterprise support running puppet agent selinux confined?
Seems at least EL6 and EL7 provide types but it seems pe-agent is not using
them as they are started in initrc_t (EL6) or unconfined_service_t (EL7).
I can't find documentation about this topic on docs.puppetlabs.com .
The problem with selinux policy enforced is (at least on EL6), that it has
some AVC logged when puppet tries to manage confined services (like sshd)
as puppet causes tmp-files created with wrong context (initrc_tmp_t instead
of puppet_tmp_t).
- Thomas
types on EL7
# seinfo -t | grep pupp
puppet_var_lib_t
puppet_var_run_t
puppetca_exec_t
puppetmaster_tmp_t
puppet_client_packet_t
puppetagent_exec_t
puppet_port_t
puppetagent_t
puppet_etc_t
puppet_log_t
puppetmaster_initrc_exec_t
puppetmaster_exec_t
puppetmaster_t
puppetagent_initrc_exec_t
puppet_server_packet_t
puppet_tmp_t
puppetca_t
AVC on EL6
type=AVC msg=audit(1111111111.111:123): avc: denied { write } for pid=123
comm="sshd" path="/tmp/puppet20160301-123-123q1xb" dev=dm-1 ino=3 scontext=
system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
initrc_tmp_t:s0 tclass=file
Quick fix:
# will be reset with restorecon -rv or "touch /.autorelabel" and reboot
# only a temp solution
# EL6
chcon -t puppet_initrc_exec_t /etc/init.d/pe-puppet
chcon -t puppet_exec_t /opt/puppet/bin/puppet
# EL7
chcon -t puppetagent_exec_t /opt/puppet/bin/puppet
# both
service pe-puppet restart
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
