Hide Forgot
Description of problem: One of the features of cobbler 2.0.11 is puppet integration. Now cobbler can manage (sign & remove) puppet certificates automatically. This is done by running the executable mentioned in the puppetca_path setting, the default being /usr/sbin/puppetca. Because puppetca is run inside cobbler's domain, it won't work because of SELinux denials. Version-Release number of selected component (if applicable): selinux-policy-3.9.7-40.fc14.noarch How reproducible: Every time Steps to Reproduce: 1. Configure cobbler to use these settings: puppet_auto_setup: 1 sign_puppet_certs_automatically: 1 puppetca_path: "/usr/sbin/puppetca" remove_old_puppet_certs_automatically: 1 2. Install a machine using cobbler. Actual results: SELinux denials. Expected results: puppetca should run without any SELinux denials. Additional info: Fedora and EPEL provide an old version of puppet. The latest version (2.6) uses git style subcommands, i.e. "puppet cert". "puppetca" is still provided, but it's obsolete. dgrift is helping me to write a policy, so I might attach a proposal in a couple of days.
We will probably end up allowing cobblerd_t to run puppetca or puppet cert in the cobblerd_t domain. (either corecmd_exec_bin or puppet_exec_puppetca) Because although we can confine puppetca, we have not yet determined whether it makes sense to confine it. Besides that; it will probably not be a good idea to confine the puppet command, which will be used in newer versions to sign systems (puppet cert) So this report is a little pre-mature.
Could you attach AVC msgs which you are getting? But I believe we will agree with Dominic to make it working with cobblerd_t domain.
It will take some time to digg through the logs in order to get them, but I'll try. I'll also add the current custom policy.
Created attachment 498258 [details] mycobbler.te Credit goes to dgrift.
Created attachment 498259 [details] mypuppet.te Credit goes to dgrift. You will also need to run: chcon -t puppetca_exec_t /usr/sbin/puppetca .
I guess we can implemented a boolean like "cobbler_can_sign_with_puppetca" or somthing along those lines. Then add the policy specific to cobblerca to the boolean block. The AVC denials are coming soon. Were de-installing our policy , resetting and running it in permissive mode to collect them.
Created attachment 498269 [details] ausearch --start 14:39:55 --end 14:49:19 getenforce -> Permissive No custom modules. Wed May 11 14:39:55 EEST 2011 start daemons Wed May 11 14:41:12 EEST 2011 cobbler sync Wed May 11 14:41:32 EEST 2011 KVM VM network install Wed May 11 14:49:19 EEST 2011 the end
I forgot to mention that all testing was done with puppet-server-2.6.8-0.1.rc1.fc14.noarch which is not available in Fedora's repositories yet, only in tmz's repositories.
I would think we should add policy for puppetca.
Created attachment 498491 [details] patch proposal for puppetca Enclosed is a patch proposal. It has some controversial policy though. Comments welcome.
Dominic, I like the puppetca stuff, but the execute stuff I think should be replaced with access_check.
I need to backport all F15, F16 puppet changes to F14.
Fixed in selinux-policy-3.9.7-46.fc14
selinux-policy-3.9.7-46.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-46.fc14
Package selinux-policy-3.9.7-46.fc14: * should fix your issue, * was pushed to the Fedora 14 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.7-46.fc14' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14734 then log in and leave karma (feedback).
selinux-policy-3.9.7-46.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.