Bug 1012360

Summary: Puppet agent starts in incorrect domain
Product: [Fedora] Fedora Reporter: Lukas Zapletal <lzap>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-26 13:09:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Zapletal 2013-09-26 10:49:07 UTC 
Description of problem:

In latest Fedora there are new wrappers for starting Ruby applications. Due to this, puppet agent is starting in incorrect domain. I expect it to start in puppet_t?

Version-Release number of selected component (if applicable):

[root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger puppet
selinux-policy-3.12.1-74.4.fc19.noarch
mod_passenger-3.0.21-4.fc19.x86_64
puppet-3.1.1-7.fc19.noarch

Fedora 19, fully updated

Reproduce:

1. Fedora 19 updated
2. systemctl start puppetagent
3. ps axu -Z | grep agent

system_u:system_r:initrc_t:s0   root     31363  2.9  0.5 245000 45228 ?        Ssl  06:42   0:00 /usr/bin/ruby-mri /usr/bin/puppet agent
system_u:system_r:initrc_t:s0   root     31367 14.6  0.6 400768 49360 ?        Sl   06:42   0:01 puppet agent: applying configuration   

If puppet agent was never confined, please close. I am not sure.
Comment 1 Lukas Zapletal 2013-09-26 10:54:22 UTC 
It really looks like you have confined puppet agent.

Can you please add a boolean to turn this on and off? Once you will re-enabled, you can expect lots of complaints about things being denied. This is because agent is doing what people define in their manifests. It can be anything that Ruby binary can do.
Comment 2 Lukas Zapletal 2013-09-26 10:59:23 UTC 
Closing, agent was never confined. Sorry about that.
Comment 3 Miroslav Grepl 2013-09-26 11:15:52 UTC 
This is a bug. If you see initrc_t (init_t in F20+) then it means there is a service without SELinux policy.
Comment 4 Miroslav Grepl 2013-09-26 13:09:23 UTC 

*** This bug has been marked as a duplicate of bug 1012426 ***