Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 679234

Summary: sec-policy/selinux-puppet changes required to work properly
Product: Gentoo Linux Reporter: Fredrik Eriksson <gentoo>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: custom-puppet.fc

Description Fredrik Eriksson 2019-03-02 12:45:10 UTC
Trying to run puppet in an selinux environment (I've tested in with mcs policy) failed because of multiple issues. I've create a minimal custom puppet policy to use in addition to the provided module which contains file contexts and policy rules that works around these issues. 

* the puppet (used to start puppet) has wrong file context
* init script has wrong file context (although I'm not sure if it's needed)
* the puppet log directory created by the init script has wrong file context
* the puppet-provided "virt-what-cpuid-helper"-script has wrong file context
* init script is not allowed to check for, and create, puppet log directory
* openrc is not allowed to transit to puppet_t context

In addition to this the audit log fills up with lots of attempts of puppet to access stuff, and I'm not sure how much of it is needed. In my policy I have also allowed puppet to read dac and change its own gid.

Reproducible: Always
Comment 1 Fredrik Eriksson 2019-03-02 12:46:23 UTC
Created attachment 567426 [details]
Comment 2 Fredrik Eriksson 2019-03-02 12:46:48 UTC
Created attachment 567428 [details]