Bug#987255: puppet: needs an extra systemd config line to use the right SE Linux context
Package: puppet Version: 5.5.22-2 Severity: normal Tags: patch upstream # ps axZ|grep pupp system_u:system_r:initrc_t:s0 1603 ?Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent Because the same program /usr/bin/puppet is used for starting the agent and the master we can't get the correct SE Linux domain via an automatic domain transition. So puppet ends up in initrc_t which is not the desired domain. [Service] SELinuxContext=system_u:system_r:puppet_t:s0 If the above is put in /lib/systemd/system/puppet.service then systemd will assign the correct context if SE Linux is active and it will ignore it if SE Linux is not active. There is no downside to this for people who don't use SE Linux, but it is a benefit for those who do. Currently SE Linux users need to run "systemctl edit puppet.service" to put an override for this. system_u:system_r:puppet_t:s0 1683 ?Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent The above is the desired result in the output of "ps axZ". -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages puppet depends on: ii adduser 3.118 ii facter 3.14.12-1+b2 ii hiera3.2.0-2.1 ii init-system-helpers 1.60 ii lsb-base 11.1.0 ii ruby 1:2.7+2 ii ruby-augeas 1:0.5.0-3+b8 ii ruby-deep-merge 1.1.1-1 ii ruby-shadow 2.5.0-1+b4 Versions of packages puppet recommends: pn debconf-utils ii lsb-release11.1.0 pn ruby-selinux Versions of packages puppet suggests: pn ruby-hocon pn ruby-rrd -- no debconf information
Bug#987255: puppet: needs an extra systemd config line to use the right SE Linux context
Control: notfound 987255 7.16.0-2 Control: reassign 987255 src:puppet Hello, With Puppet 7.x and later, the server and agent binaries are not the same anymore. Thus, this problem only affects the 5.x series when using the deprecated puppet-master, and this patch is obsolete. -- Jerome
Bug#987255: puppet: needs an extra systemd config line to use the right SE Linux context
Control: reassign 987255 src:puppet-agent Control: affects 987255 src:puppet Control: found 987255 7.16.0-2 Hi! You tagged this bug as "upstream" and "patch", is there an upstream bug report (and fix) about this? Or is it just the matter of adding the SELinux line to the .service file? We don't ship our own systemd unit in the Debian package, and instead rely on the upstream here: ext/systemd/puppet.service I would rather avoid patching that if we can afford it... a. -- To understand how any society functions you must understand the relationship between the men and the women - Angela Davis
Bug#987255: puppet: needs an extra systemd config line to use the right SE Linux context
On 2022-09-09 20:10:36, Russell Coker wrote: > On Thursday, 1 September 2022 00:45:32 AEST Antoine Beaupré wrote: >> Control: reassign 987255 src:puppet-agent >> Control: affects 987255 src:puppet >> Control: found 987255 7.16.0-2 >> >> Hi! >> >> You tagged this bug as "upstream" and "patch", is there an upstream bug >> report (and fix) about this? > > Patch because I supplied the line needed and upstream because the issue > originated upstream. Sorry no upstream patch. Have you considered forwarding this upstream, or do you expect us to? -- The desire to sacrifice an entire lifetime to the noblest of ideals serves no purpose if one works alone. - Che Guevara
