Bug 1012360 - Puppet agent starts in incorrect domain
Puppet agent starts in incorrect domain
Status: CLOSED DUPLICATE of bug 1012426
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-26 06:49 EDT by Lukas Zapletal
Modified: 2013-09-26 09:09 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-26 09:09:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Zapletal 2013-09-26 06:49:07 EDT
Description of problem:

In latest Fedora there are new wrappers for starting Ruby applications. Due to this, puppet agent is starting in incorrect domain. I expect it to start in puppet_t?

Version-Release number of selected component (if applicable):

[root@hp-dl585g5-01 foreman]# rpm -q selinux-policy mod_passenger puppet
selinux-policy-3.12.1-74.4.fc19.noarch
mod_passenger-3.0.21-4.fc19.x86_64
puppet-3.1.1-7.fc19.noarch

Fedora 19, fully updated

Reproduce:

1. Fedora 19 updated
2. systemctl start puppetagent
3. ps axu -Z | grep agent

system_u:system_r:initrc_t:s0   root     31363  2.9  0.5 245000 45228 ?        Ssl  06:42   0:00 /usr/bin/ruby-mri /usr/bin/puppet agent
system_u:system_r:initrc_t:s0   root     31367 14.6  0.6 400768 49360 ?        Sl   06:42   0:01 puppet agent: applying configuration   

If puppet agent was never confined, please close. I am not sure.
Comment 1 Lukas Zapletal 2013-09-26 06:54:22 EDT
It really looks like you have confined puppet agent.

Can you please add a boolean to turn this on and off? Once you will re-enabled, you can expect lots of complaints about things being denied. This is because agent is doing what people define in their manifests. It can be anything that Ruby binary can do.
Comment 2 Lukas Zapletal 2013-09-26 06:59:23 EDT
Closing, agent was never confined. Sorry about that.
Comment 3 Miroslav Grepl 2013-09-26 07:15:52 EDT
This is a bug. If you see initrc_t (init_t in F20+) then it means there is a service without SELinux policy.
Comment 4 Miroslav Grepl 2013-09-26 09:09:23 EDT

*** This bug has been marked as a duplicate of bug 1012426 ***

Note You need to log in before you can comment on or make changes to this bug.