Hide Forgot
Created attachment 532684 [details] puppet denials Description of problem: Denials from puppet-agent. puppet_manage_all_files is off. Version-Release number of selected component (if applicable): puppet-2.6.12-1.fc17.noarch selinux-policy-3.10.0-55.1.fc17.noarch
Dan added fixes to Rawhide.
Created attachment 533151 [details] puppet denials Still seeing lots with selinux-policy-3.10.0-55.1.fc17.noarch
Try it with selinux-policy-3.10.0-57.fc17
Created attachment 533578 [details] puppet denials Still lots of them. selinux-policy-3.10.0-57.fc17.noarch
The question here is - do we want to confine puppet agent? Puppet agent does all the configuration on the machines. It is doing things as root. The policy needs to be quite open then. Maybe very permissive with only disabling unwanted things like accessing low-level API or devices?
puppet_t is very permissive domain. The problem here is how it is invoked now. Let's discuss it in the #1012360 bug.