Bug 752578

Summary: Lots of SELinux denials for puppet agent
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dominick.grift, dwalsh, lzap, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-13 21:37:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
puppet denials
none
puppet denials
none
puppet denials none

Description Orion Poplawski 2011-11-09 22:08:18 UTC 
Created attachment 532684 [details]
puppet denials

Description of problem:

Denials from puppet-agent.  puppet_manage_all_files is off.

Version-Release number of selected component (if applicable):
puppet-2.6.12-1.fc17.noarch
selinux-policy-3.10.0-55.1.fc17.noarch
Comment 1 Miroslav Grepl 2011-11-10 07:10:50 UTC 
Dan added fixes to Rawhide.
Comment 2 Orion Poplawski 2011-11-11 19:08:43 UTC 
Created attachment 533151 [details]
puppet denials

Still seeing lots with selinux-policy-3.10.0-55.1.fc17.noarch
Comment 3 Miroslav Grepl 2011-11-13 21:37:08 UTC 
Try it with selinux-policy-3.10.0-57.fc17
Comment 4 Orion Poplawski 2011-11-14 17:18:26 UTC 
Created attachment 533578 [details]
puppet denials

Still lots of them.

selinux-policy-3.10.0-57.fc17.noarch
Comment 5 Lukas Zapletal 2013-09-26 10:50:40 UTC 
The question here is - do we want to confine puppet agent? Puppet agent does all the configuration on the machines. It is doing things as root. The policy needs to be quite open then. Maybe very permissive with only disabling unwanted things like accessing low-level API or devices?
Comment 6 Miroslav Grepl 2013-09-26 11:12:03 UTC 
puppet_t is very permissive domain. The problem here is how it is invoked now. Let's discuss it in the #1012360 bug.