On Thursday, March 24, 2016 at 4:16:17 AM UTC-5, Thomas Müller wrote: > > Hi > > Does Puppet Enterprise support running puppet agent selinux confined? > > Seems at least EL6 and EL7 provide types but it seems pe-agent is not > using them as they are started in initrc_t (EL6) or unconfined_service_t > (EL7). > > I can't find documentation about this topic on docs.puppetlabs.com . > > The problem with selinux policy enforced is (at least on EL6), that it has > some AVC logged when puppet tries to manage confined services (like sshd) > as puppet causes tmp-files created with wrong context (initrc_tmp_t > instead of puppet_tmp_t). > >
I am uncertain whether PE provides a knob by which you can cause agents to run constrained, but of course there's nothing inherently preventing you from making that happen one way or another. But what policy will you then enforce? Depending on the catalogs served to it, the agent might be instructed to create, delete, or modify any file on the file system (including editing SELinux attributes), run any external program, start or stop any service, install software, etc.. Running the agent in a context that is not effectively unconstrained would limit those capabilities in a manner that the agent itself has no reason to expect. Limiting capabilities is of course the point, but the agent having no visibility into the constraints it is working under makes for a bit of an impedance mismatch. For that reason I would not be too surprised to hear that PE is without a built-in mechanism for running the agent constrained. That doesn't seem like a deal-killer to me, but I do think you may be asking for a bigger management hassle than you realize. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b16ceb15-580c-4a57-8a64-c4b90693980e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
