Hi Thomas,
This looks like a bug in the installation RPM. I would file a bug against
PE with your proposed fix as it looks correct and should be part of the RPM
post installation.
Trevor
On Thu, Mar 24, 2016 at 5:16 AM, Thomas Müller <tho...@chaschperli.ch>
wrote:
> Hi
>
> Does Puppet Enterprise support running puppet agent selinux confined?
>
> Seems at least EL6 and EL7 provide types but it seems pe-agent is not
> using them as they are started in initrc_t (EL6) or unconfined_service_t
> (EL7).
>
> I can't find documentation about this topic on docs.puppetlabs.com .
>
> The problem with selinux policy enforced is (at least on EL6), that it has
> some AVC logged when puppet tries to manage confined services (like sshd)
> as puppet causes tmp-files created with wrong context (initrc_tmp_t
> instead of puppet_tmp_t).
>
> - Thomas
>
>
> types on EL7
>
> # seinfo -t | grep pupp
> puppet_var_lib_t
> puppet_var_run_t
> puppetca_exec_t
> puppetmaster_tmp_t
> puppet_client_packet_t
> puppetagent_exec_t
> puppet_port_t
> puppetagent_t
> puppet_etc_t
> puppet_log_t
> puppetmaster_initrc_exec_t
> puppetmaster_exec_t
> puppetmaster_t
> puppetagent_initrc_exec_t
> puppet_server_packet_t
> puppet_tmp_t
> puppetca_t
>
>
> AVC on EL6
> type=AVC msg=audit(1111111111.111:123): avc: denied { write } for pid=123
> comm="sshd" path="/tmp/puppet20160301-123-123q1xb" dev=dm-1 ino=3 scontext
> =system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
> initrc_tmp_t:s0 tclass=file
>
>
> Quick fix:
>
> # will be reset with restorecon -rv or "touch /.autorelabel" and reboot
> # only a temp solution
> # EL6
> chcon -t puppet_initrc_exec_t /etc/init.d/pe-puppet
> chcon -t puppet_exec_t /opt/puppet/bin/puppet
> # EL7
> chcon -t puppetagent_exec_t /opt/puppet/bin/puppet
>
> # both
> service pe-puppet restart
>
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CANs%2BFoWqE8F7Ko8RhiSNRR%3DZ9cQ%3D5KgHstLKgdYO5M_czDKY5g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
