Bug 1012426
Summary: | Combine puppet_t and puppetmaster_t domains | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Zapletal <lzap> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 20 | CC: | dcleal, dominick.grift, dwalsh, jpazdziora, lvrabec, mastahnke, mgrepl, skottler | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.12.1-153.fc20 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-04-20 01:24:31 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Lukas Zapletal
2013-09-26 12:57:56 UTC
Ok, I agree that we could merge puppet_t and puppetmaster_t together. Then ExecStart=/usr/bin/puppet agent ExecStart=/usr/bin/puppet master is a problem. We don't label /usr/bin/puppet so we have the default bin_t label. It means you will end up with initrc_t/init_t domain. We can not label /usr/bin/puppet because it is an agent as you said. So we will need to have a helper script (which will have puppetmaster_exec_t label) to end up with puppetmaster_t. *** Bug 1012360 has been marked as a duplicate of this bug. *** I'm the primary Puppet maintainer in Fedora and I think this plan is a good one to be able to untwist the policy, which has been lagging pretty far behind the actual state of the upstream (and even the packages) for a long time. Ideally puppet_t will go away, leaving just puppetmaster_t since that's the only domain that's actually needed right now. One additional point - ewoud from Foreman team noted that puppet service was renamed to puppetagent in Fedora 19+ (not F17+). We are able to help you with this testing, because we see many issues with Puppet and SELinux (users are reporting to us) and this would be great to improve. Also, soon we will need this to be resolved for our Satellite product. Created attachment 809758 [details]
Patch against fedpkg puppet
Sam,
I am attaching patch for puppet fedora package which introduces wrappers. I have decided to name them start-puppet-COMMAND because if we do puppet-COMMAND then shell completion will work weird for "puppet". Start is screwed up already, that is fine I guess.
Please review and if you can merge that into F19 as well that would be awesome.
In the next step, I would like to make first changes into the core puppet policy and get that reviewed by Foreman community. We need decent testing before we decide to merge this.
My goal would be to get the change into RHEL6 and Fedora 19+ core policies, of course having that backward compatible.
So now we can add labeling for %{_bindir}/start-puppet-master and merge these domains. Should we end up with puppetmaster_t or puppet_t? I'd prefer puppet_t since the agent will have the label, too. Why would agent need a label? It will run unconfined, agent must not be confined. That is one of the points of this refactoring. I find puppet_t misleading since we are not confining puppet at all, we are confining puppetmaster and puppetca. Everything else should live unconfined. For this reason I suggest to merge all puppet_t staff into puppetmaster_t. Opinions? Right, the agent shouldn't be confined because the point of the agent is to be able to make changes to the whole system. The master will just run under puppet_t. I'm going to commit lzap's patch to rawhide and then we can move forward with the labeling changes. Thanks again for all of your work on this. The change is now in rawhide. I'm going to leave this as ASSIGNED since there's a dependent policy change. I am going to work on it these days. Any update on where this stands? I'm happy to work on the policy itself of any changes that we need to make to Puppet itself to get the master working properly in enforcing mode. Mirek, please make sure the policy contains: # For memory-statistics and agent which executes /bin/ps (#3465) domain_read_all_domains_state(passenger_t) More info: http://projects.theforeman.org/issues/3465 commit 7b89fe1a561dd68be9ba4a35bb37bc03a1dc30cf Author: Miroslav Grepl <mgrepl> Date: Wed Apr 9 10:42:40 2014 +0200 Back port puppet fixes from rawhide selinux-policy-3.12.1-153.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20 Package selinux-policy-3.12.1-153.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Related puppet update: https://admin.fedoraproject.org/updates/puppet-3.4.3-3.fc20 |