Hi
Does Puppet Enterprise support running puppet agent selinux confined?
Seems at least EL6 and EL7 provide types but it seems pe-agent is not using
them as they are started in initrc_t (EL6) or unconfined_service_t (EL7).
I can't find documentation about this topic on docs.puppetlabs.com .
The problem with selinux policy enforced is (at least on EL6), that it has
some AVC logged when puppet tries to manage confined services (like sshd)
as puppet causes tmp-files created with wrong context (initrc_tmp_t instead
of puppet_tmp_t).
- Thomas
types on EL7
# seinfo -t | grep pupp
puppet_var_lib_t
puppet_var_run_t
puppetca_exec_t
puppetmaster_tmp_t
puppet_client_packet_t
puppetagent_exec_t
puppet_port_t
puppetagent_t
puppet_etc_t
puppet_log_t
puppetmaster_initrc_exec_t
puppetmaster_exec_t
puppetmaster_t
puppetagent_initrc_exec_t
puppet_server_packet_t
puppet_tmp_t
puppetca_t
AVC on EL6
type=AVC msg=audit(1111111111.111:123): avc: denied { write } for pid=123
comm="sshd" path="/tmp/puppet20160301-123-123q1xb" dev=dm-1 ino=3 scontext=
system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
initrc_tmp_t:s0 tclass=file
Quick fix:
# will be reset with restorecon -rv or "touch /.autorelabel" and reboot
# only a temp solution
# EL6
chcon -t puppet_initrc_exec_t /etc/init.d/pe-puppet
chcon -t puppet_exec_t /opt/puppet/bin/puppet
# EL7
chcon -t puppetagent_exec_t /opt/puppet/bin/puppet
# both
service pe-puppet restart
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
