Feature #2820
closed
Improve SELinux policy for puppet
Description
Thank to PassengerRuby feature in Passenger 4.0, it is possible to setup different Ruby binary for each Ruby application. We need to create /usr/bin/ruby-foreman and ruby-puppetmaster with proper selinux contexts and configure this in httpd.
For Foreman we will move from passenger_t to newly created foreman_t domain and change our policy. For puppetmaster we will reuse puppetmaster_t domain which is already present in the base policy (and works with puppetmaster/webrick already).
We can use this from Fedora 20 (passenger 4.0). In Fedora 19 we cannot apply this approach as there is 3.0 version and in RHEL 6.4 passenger_t already have puppetmaster rules. As a workaround for F19, we will temporarily allow passenger_t to do puppetmaster stuff.
Updated by Lukas Zapletal over 10 years ago
Or the workaround for F19 can be:
B) Use passenger 4.0 from our Koji.
Updated by Dominic Cleal over 10 years ago
Updated by Lukas Zapletal over 10 years ago
- Description updated (diff)
- Target version changed from 1.3.0 to 1.4.0
With this feature, we should also split our selinux package into two: TF and PM because we want to use PM separately on nodes.
Updated by Lukas Zapletal over 10 years ago
- Related to Bug #3080: Installing puppetmaster with passenger without foreman causes AVC denials added
Updated by Dominic Cleal over 10 years ago
Lukas Zapletal wrote:
With this feature, we should also split our selinux package into two: TF and PM because we want to use PM separately on nodes.
I disagree, the PM policy is already in the base OS policy (both passenger and puppetmaster domains). This will simply allow us to exclusively use the puppetmaster domain.
Updated by
Updated by Dominic Cleal over 10 years ago
- Status changed from New to Assigned
- Assignee set to Lukas Zapletal
- Target version set to 1.15.0
- translation missing: en.field_release set to 2
Even more info: https://bugzilla.redhat.com/show_bug.cgi?id=1012426
Updated by Dominic Cleal over 10 years ago
- Has duplicate Bug #3470: Improve SELinux policy for puppet added
Updated by Lukas Zapletal over 10 years ago
- Subject changed from Create wrappers for Foreman and PM with selinux context to Improve SELinux policy for puppet
- Create wrappers for Foreman and PM with selinux context
- Audit core selinux policy
- Rewrite the policy
More info here: https://bugzilla.redhat.com/show_bug.cgi?id=1012426
Updated by Lukas Zapletal over 10 years ago
- Related to Feature #3503: As a user I'd like to have SELinux Enforcing on all infrastructure, and agents added
Updated by Lukas Zapletal over 10 years ago
- Target version changed from 1.15.0 to 1.10.0
Updated by Dominic Cleal over 10 years ago
- Target version changed from 1.10.0 to 1.9.3
Updated by Anonymous over 10 years ago
- Target version changed from 1.9.3 to 1.9.2
Updated by Sam Kottler over 10 years ago
- Assignee changed from Lukas Zapletal to Sam Kottler
I've already had a few discussions related to this so I'm going to finish it up.
Updated by Dominic Cleal over 10 years ago
- translation missing: en.field_release deleted (
2)
Updated by Dominic Cleal about 10 years ago
- Target version changed from 1.9.2 to 1.9.1
Updated by Dominic Cleal about 10 years ago
- Assignee changed from Sam Kottler to Lukas Zapletal
Updated by Anonymous about 10 years ago
- Target version changed from 1.9.1 to 1.9.0
Updated by Anonymous about 10 years ago
- Target version changed from 1.9.0 to 1.8.4
Updated by Lukas Zapletal about 10 years ago
- Status changed from Assigned to Resolved
Updated by Tomer Brisker over 5 years ago
- Project changed from Foreman to SELinux
- Category deleted (
56) - Target version deleted (
1.8.4)