Hello, I filed a pull request with a draft code which is alighed with what Dominic proposed:
https://github.com/puppetlabs/puppet/pull/2997 It does not introduce any new global command line parameters because I think it's an overkill. There are three env. variables which can be used to tune this up, but I think this would be rare cases. LZ On Wednesday, August 27, 2014 9:00:49 PM UTC+2, Joshua Partlow wrote: > > Hi everyone, > > There is a PR for Puppet to address difficulties setting security contexts > in SELinux for specific puppet subcommands ( > https://github.com/puppetlabs/puppet/pull/2997). The contributer (Lukáš > Zapletal) originally was looking to add additional wrapper scripts around > subcommands so that a puppet_exec_t could be set for these files. There is > general concern about the confusion caused by reintroducing separate > commands, and Dominic Cleal suggested making use of Ruby's SELinux bindings > (specifically Puppet::Util::SELinux.setcon in Puppet) to instead handle the > context switch internally. > > Talking this over during the triage today, this seems like a reasonable > approach, but we're lacking SELinux experience, and were wondering if there > were additional Puppet/SELinux users out there who might weigh in on this? > > thanks, > Josh > > -- > Josh Partlow > [email protected] <javascript:> > Developer, Puppet Labs > > Join us at PuppetConf 2014, September 20-24 in San Francisco > Register by September 8th to take advantage of the Final Countdown —save > $149! > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/10777275-769c-4f45-a217-512ecc3ec7b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
