Hi folks,
I'm running Puppetserver 1.1.3 on CentOS 7 quite happily. I've just
started using check_jvm[1] with Nagios to monitor the vital signs of
Puppetserver. As you'd expect, SELinux initially stamped all over this
so I did the usual and used audit2allow to generate a policy:
[jg4461@puppet-prod ~]$ sudo cat /var/log/audit/audit.log | grep java |
audit2allow
#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t unconfined_service_t:process signull;
unconfined_service_t? Seems a bit odd, but it's true:
[jg4461@puppet-prod ~]$ ps -eZ | grep java
system_u:system_r:unconfined_service_t:s0 1677 ? 04:12:24 java
system_u:system_r:unconfined_service_t:s0 1692 ? 4-09:46:49 java
I'm quite happy with SELinux but I'm a real n00b at Java. Can anyone
explain how to I can set the context of PuppetServer and PuppetDB
(that's the other Java process on my system) so the PuppetServer process
is confined in a more sensible type that I can actually audit safely? I
don't want to let unconfined_service_t have permissions on my system.
Thanks,
Jonathan
[1]
https://exchange.nagios.org/directory/Plugins/Java-Applications-and-Servers/Apache-Tomcat/check_jvm/details
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5720C34C.1050507%40bristol.ac.uk.
For more options, visit https://groups.google.com/d/optout.
