Hi Thomas, This looks like a bug in the installation RPM. I would file a bug against PE with your proposed fix as it looks correct and should be part of the RPM post installation.
Trevor On Thu, Mar 24, 2016 at 5:16 AM, Thomas Müller <[email protected]> wrote: > Hi > > Does Puppet Enterprise support running puppet agent selinux confined? > > Seems at least EL6 and EL7 provide types but it seems pe-agent is not > using them as they are started in initrc_t (EL6) or unconfined_service_t > (EL7). > > I can't find documentation about this topic on docs.puppetlabs.com . > > The problem with selinux policy enforced is (at least on EL6), that it has > some AVC logged when puppet tries to manage confined services (like sshd) > as puppet causes tmp-files created with wrong context (initrc_tmp_t > instead of puppet_tmp_t). > > - Thomas > > > types on EL7 > > # seinfo -t | grep pupp > puppet_var_lib_t > puppet_var_run_t > puppetca_exec_t > puppetmaster_tmp_t > puppet_client_packet_t > puppetagent_exec_t > puppet_port_t > puppetagent_t > puppet_etc_t > puppet_log_t > puppetmaster_initrc_exec_t > puppetmaster_exec_t > puppetmaster_t > puppetagent_initrc_exec_t > puppet_server_packet_t > puppet_tmp_t > puppetca_t > > > AVC on EL6 > type=AVC msg=audit(1111111111.111:123): avc: denied { write } for pid=123 > comm="sshd" path="/tmp/puppet20160301-123-123q1xb" dev=dm-1 ino=3 scontext > =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r: > initrc_tmp_t:s0 tclass=file > > > Quick fix: > > # will be reset with restorecon -rv or "touch /.autorelabel" and reboot > # only a temp solution > # EL6 > chcon -t puppet_initrc_exec_t /etc/init.d/pe-puppet > chcon -t puppet_exec_t /opt/puppet/bin/puppet > # EL7 > chcon -t puppetagent_exec_t /opt/puppet/bin/puppet > > # both > service pe-puppet restart > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CANs%2BFoWqE8F7Ko8RhiSNRR%3DZ9cQ%3D5KgHstLKgdYO5M_czDKY5g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
