Red Hat Bugzilla – Bug 1012360
Puppet agent starts in incorrect domain
Last modified: 2013-09-26 09:09:23 EDT
Description of problem:
In latest Fedora there are new wrappers for starting Ruby applications. Due to this, puppet agent is starting in incorrect domain. I expect it to start in puppet_t?
Version-Release number of selected component (if applicable):
[root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger puppet
Fedora 19, fully updated
1. Fedora 19 updated
2. systemctl start puppetagent
3. ps axu -Z | grep agent
system_u:system_r:initrc_t:s0 root 31363 2.9 0.5 245000 45228 ? Ssl 06:42 0:00 /usr/bin/ruby-mri /usr/bin/puppet agent
system_u:system_r:initrc_t:s0 root 31367 14.6 0.6 400768 49360 ? Sl 06:42 0:01 puppet agent: applying configuration
If puppet agent was never confined, please close. I am not sure.
It really looks like you have confined puppet agent.
Can you please add a boolean to turn this on and off? Once you will re-enabled, you can expect lots of complaints about things being denied. This is because agent is doing what people define in their manifests. It can be anything that Ruby binary can do.
Closing, agent was never confined. Sorry about that.
This is a bug. If you see initrc_t (init_t in F20+) then it means there is a service without SELinux policy.
*** This bug has been marked as a duplicate of bug 1012426 ***