Bug 679234

Summary:	sec-policy/selinux-puppet changes required to work properly
Product:	Gentoo Linux	Reporter:	Fredrik Eriksson <gentoo>
Component:	SELinux	Assignee:	SE Linux Bugs <selinux>
Status:	UNCONFIRMED ---
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	custom-puppet.fc custom-puppet.te

Description Fredrik Eriksson 2019-03-02 12:45:10 UTC

Trying to run puppet in an selinux environment (I've tested in with mcs policy) failed because of multiple issues. I've create a minimal custom puppet policy to use in addition to the provided module which contains file contexts and policy rules that works around these issues. 

* the puppet wrapper.sh (used to start puppet) has wrong file context
* init script has wrong file context (although I'm not sure if it's needed)
* the puppet log directory created by the init script has wrong file context
* the puppet-provided "virt-what-cpuid-helper"-script has wrong file context
* init script is not allowed to check for, and create, puppet log directory
* openrc is not allowed to transit to puppet_t context

In addition to this the audit log fills up with lots of attempts of puppet to access stuff, and I'm not sure how much of it is needed. In my policy I have also allowed puppet to read dac and change its own gid.

Reproducible: Always

Comment 1 Fredrik Eriksson 2019-03-02 12:46:23 UTC

Created attachment 567426 [details]
custom-puppet.fc

Comment 2 Fredrik Eriksson 2019-03-02 12:46:48 UTC

Created attachment 567428 [details]
custom-puppet.te