On 27/08/14 20:00, Joshua Partlow wrote: > Hi everyone, > > There is a PR for Puppet to address difficulties setting security > contexts in SELinux for specific puppet subcommands > (https://github.com/puppetlabs/puppet/pull/2997). The contributer (Lukáš > Zapletal) originally was looking to add additional wrapper scripts > around subcommands so that a puppet_exec_t could be set for these files. > There is general concern about the confusion caused by reintroducing > separate commands, and Dominic Cleal suggested making use of Ruby's > SELinux bindings (specifically Puppet::Util::SELinux.setcon in Puppet) > to instead handle the context switch internally.
If taking this approach, I think there are two important points. 1. the context switch should be made as soon as possible, to minimise the window when running unconfined. In particular I think we should avoid reading in config files at this stage, if that's possible. It looks like the Puppet::Util::CommandLine code isn't going to load configs yet, so changing context within here (e.g. ApplicationSubcommand) or perhaps inside Puppet::Application is possible. 2. names of SELinux domains are most likely governed by the distribution rather than the Puppet project, as at least in Fedora and EL, an SELinux policy for Puppet is shipped as part of the base targeted policy and not as part of Puppet. This means that Puppet should probably ship with a sane suggestion of SELinux domains to transition to (e.g. the master application runs in the puppetmaster_t domain), but packagers may want to be able to override it relatively easily - perhaps this is a patch, but perhaps something more like a config file containing a lookup table would be easier to maintain. Cheers, -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/53FEEFD7.8000806%40redhat.com. For more options, visit https://groups.google.com/d/optout.
