| Summary: | Lots of SELinux denials for puppet agent | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | rawhide | CC: | dominick.grift, dwalsh, lzap, mgrepl | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-11-13 21:37:08 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Attachments: |
|
||||||||||
Dan added fixes to Rawhide. Created attachment 533151 [details]
puppet denials
Still seeing lots with selinux-policy-3.10.0-55.1.fc17.noarch
Try it with selinux-policy-3.10.0-57.fc17 Created attachment 533578 [details]
puppet denials
Still lots of them.
selinux-policy-3.10.0-57.fc17.noarch
The question here is - do we want to confine puppet agent? Puppet agent does all the configuration on the machines. It is doing things as root. The policy needs to be quite open then. Maybe very permissive with only disabling unwanted things like accessing low-level API or devices? puppet_t is very permissive domain. The problem here is how it is invoked now. Let's discuss it in the #1012360 bug. |
Created attachment 532684 [details] puppet denials Description of problem: Denials from puppet-agent. puppet_manage_all_files is off. Version-Release number of selected component (if applicable): puppet-2.6.12-1.fc17.noarch selinux-policy-3.10.0-55.1.fc17.noarch