Am Donnerstag, 24. März 2016 14:31:01 UTC+1 schrieb jcbollinger: > > > > On Thursday, March 24, 2016 at 4:16:17 AM UTC-5, Thomas Müller wrote: >> >> Hi >> >> Does Puppet Enterprise support running puppet agent selinux confined? >> >> Seems at least EL6 and EL7 provide types but it seems pe-agent is not >> using them as they are started in initrc_t (EL6) or unconfined_service_t >> (EL7). >> >> I can't find documentation about this topic on docs.puppetlabs.com . >> >> The problem with selinux policy enforced is (at least on EL6), that it >> has some AVC logged when puppet tries to manage confined services (like >> sshd) as puppet causes tmp-files created with wrong context (initrc_tmp_t >> instead of puppet_tmp_t). >> >> > > I am uncertain whether PE provides a knob by which you can cause agents to > run constrained, but of course there's nothing inherently preventing you > from making that happen one way or another. But what policy will you then > enforce? >
it's not about enforcing a policy on puppet. its about the interaction of other services running confined. If puppet runs in initrc_t it will create some files with contexts not accessible by confined services. whereas if the process runs as puppet_t it has already lots of access rules defined. - Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/828f0a29-8934-4678-9264-3d7a2d3f9ba1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
