Hide Forgot
Description of problem: In latest Fedora there are new wrappers for starting Ruby applications. Due to this, puppet agent is starting in incorrect domain. I expect it to start in puppet_t? Version-Release number of selected component (if applicable): [root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger puppet selinux-policy-3.12.1-74.4.fc19.noarch mod_passenger-3.0.21-4.fc19.x86_64 puppet-3.1.1-7.fc19.noarch Fedora 19, fully updated Reproduce: 1. Fedora 19 updated 2. systemctl start puppetagent 3. ps axu -Z | grep agent system_u:system_r:initrc_t:s0 root 31363 2.9 0.5 245000 45228 ? Ssl 06:42 0:00 /usr/bin/ruby-mri /usr/bin/puppet agent system_u:system_r:initrc_t:s0 root 31367 14.6 0.6 400768 49360 ? Sl 06:42 0:01 puppet agent: applying configuration If puppet agent was never confined, please close. I am not sure.
It really looks like you have confined puppet agent. Can you please add a boolean to turn this on and off? Once you will re-enabled, you can expect lots of complaints about things being denied. This is because agent is doing what people define in their manifests. It can be anything that Ruby binary can do.
Closing, agent was never confined. Sorry about that.
This is a bug. If you see initrc_t (init_t in F20+) then it means there is a service without SELinux policy.
*** This bug has been marked as a duplicate of bug 1012426 ***