Feature #2820
closed
Improve SELinux policy for puppet
Added by Lukas Zapletal almost 11 years ago.
Updated over 5 years ago.
Description
Thank to PassengerRuby feature in Passenger 4.0, it is possible to setup different Ruby binary for each Ruby application. We need to create /usr/bin/ruby-foreman and ruby-puppetmaster with proper selinux contexts and configure this in httpd.
For Foreman we will move from passenger_t to newly created foreman_t domain and change our policy. For puppetmaster we will reuse puppetmaster_t domain which is already present in the base policy (and works with puppetmaster/webrick already).
We can use this from Fedora 20 (passenger 4.0). In Fedora 19 we cannot apply this approach as there is 3.0 version and in RHEL 6.4 passenger_t already have puppetmaster rules. As a workaround for F19, we will temporarily allow passenger_t to do puppetmaster stuff.
Or the workaround for F19 can be:
B) Use passenger 4.0 from our Koji.
- Description updated (diff)
- Target version changed from 1.3.0 to 1.4.0
With this feature, we should also split our selinux package into two: TF and PM because we want to use PM separately on nodes.
- Related to Bug #3080: Installing puppetmaster with passenger without foreman causes AVC denials added
Lukas Zapletal wrote:
With this feature, we should also split our selinux package into two: TF and PM because we want to use PM separately on nodes.
I disagree, the PM policy is already in the base OS policy (both passenger and puppetmaster domains). This will simply allow us to exclusively use the puppetmaster domain.
- Target version deleted (
1.4.0)
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
- Target version set to 1.15.0
- translation missing: en.field_release set to 2
- Has duplicate Bug #3470: Improve SELinux policy for puppet added
- Subject changed from Create wrappers for Foreman and PM with selinux context to Improve SELinux policy for puppet
- Related to Feature #3503: As a user I'd like to have SELinux Enforcing on all infrastructure, and agents added
- Target version changed from 1.15.0 to 1.10.0
- Target version changed from 1.10.0 to 1.9.3
- Target version changed from 1.9.3 to 1.9.2
- Assignee changed from Lukas Zapletal to Sam Kottler
I've already had a few discussions related to this so I'm going to finish it up.
- translation missing: en.field_release deleted (
2)
- Target version changed from 1.9.2 to 1.9.1
- Assignee changed from Sam Kottler to Lukas Zapletal
- Target version changed from 1.9.1 to 1.9.0
- Target version changed from 1.9.0 to 1.8.4
- Status changed from Assigned to Resolved
- Project changed from Foreman to SELinux
- Category deleted (
56)
- Target version deleted (
1.8.4)
Also available in: Atom
PDF