Hi all, I just wanted to point out that Adrien brought up some interesting comments in the ticket for this discussion. So that response gets more exposure, I wanted to post it here:
>From Adrien Thebo: I've reviewed PR 3627 and the puppet-dev mailing list thread, and I think that this issue could use more discussion before we start merging things. First off, it doesn't seem like a lot of other projects have to deal with this concern. Is this because the executable itself has a context set and the process itself doesn't need to know about the context? Secondly, how will this impact the JVM? Since (AFAIK) the JVM runs as a single process with multiple services running in that process, is it even possible to switch the SELinux context without breaking everything else inside of the JVM? And now for more implementation oriented questions: SELinux domains What domains do we need for Puppet + SELinux? What resources do they need access to? Configuration via environment variables The current pull request uses the following environment variables: - NO_PUPPET_SELINUX_DTRANS - PUPPET_SELINUX_MASTER_DOMAIN - PUPPET_SELINUX_CA_DOMAIN Right now Puppet doesn't use ENV for configuration; it has a few trivial things like looking at 'PATH' and 'HOME' but doesn't read values out in order to configure itself. Using the environment to configure the SELinux context means that we have a new configuration mechanism that will not be documented along with other settings. Using environment variables for configuration means that if different values are needed, they won't "stick" - there's no way to always apply these settings without modifying init scripts or /etc/profile or the like. This leads into... Environment variables vs configuration via a file Dominic Cleal indicated that we should change the SELinux context before we read any configuration files, which makes us need an alternate method of configuring SELinux, which the reason of running unconfined for as little time as possible. Why? Doing so makes it more challenging to handle configuration. Is it really that risky to run unconfined until we can read a config file to get SELinux settings? If we do run unconfined long enough to read a config file, what are the potential ramifications of running unconfined for this period? Switching contexts for packaged installs vs gem installs It was proposed that we don't switch SELinux contexts if Puppet was installed via a gem or run from source. This seems really challenging to implement. Switching contexts for different users If I'm developing on Puppet and standing up a test master as my own user, I really don't want SELinux turning itself on. How can we prevent this? Opt-out vs opt-in The current approach takes an opt-out approach to SELinux; if it's opt-in we avoid the issue of switching contexts for packaged installs vs gem installs. Is this a viable option? Default values for SELinux domains It was mentioned that we can isolate the default values for SELinux domains to an isolated file so that downstream vendors can just patch that file; I think this is a great idea. It seems a lot simpler than using environment variables. On Tuesday, September 9, 2014 at 8:03:11 AM UTC-7, Lukáš Zapletal wrote: > > Hello, > > I filed a pull request with a draft code which is alighed with what > Dominic proposed: > > https://github.com/puppetlabs/puppet/pull/2997 > > It does not introduce any new global command line parameters because I > think it's an overkill. There are three env. variables which can be used to > tune this up, but I think this would be rare cases. > > LZ > > On Wednesday, August 27, 2014 9:00:49 PM UTC+2, Joshua Partlow wrote: >> >> Hi everyone, >> >> There is a PR for Puppet to address difficulties setting security >> contexts in SELinux for specific puppet subcommands ( >> https://github.com/puppetlabs/puppet/pull/2997). The contributer (Lukáš >> Zapletal) originally was looking to add additional wrapper scripts around >> subcommands so that a puppet_exec_t could be set for these files. There is >> general concern about the confusion caused by reintroducing separate >> commands, and Dominic Cleal suggested making use of Ruby's SELinux bindings >> (specifically Puppet::Util::SELinux.setcon in Puppet) to instead handle the >> context switch internally. >> >> Talking this over during the triage today, this seems like a reasonable >> approach, but we're lacking SELinux experience, and were wondering if there >> were additional Puppet/SELinux users out there who might weigh in on this? >> >> thanks, >> Josh >> >> -- >> Josh Partlow >> jpar...@puppetlabs.com >> Developer, Puppet Labs >> >> Join us at PuppetConf 2014, September 20-24 in San Francisco >> Register by September 8th to take advantage of the Final Countdown —save >> $149! >> > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/05f2cdd3-437f-4179-89f4-3224c756443d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.