On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
> On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
>> Could you please open a new bug with updated paths.
>
> If it was just a matter of changing paths, I wouldn't have
> bothered with the email :).
>
> What used to be puppetd is now run as "puppet agent", and what
> used to be run as puppetmasterd is now run as "puppet master".
> There are a bunch of other options too.
>
> This could, I guess, be fixed by having wrapper scripts to get
> to the old functions, but the systemd config does, in fact, do
> it the new way: ExecStart=/usr/bin/puppet master
>
> I have no idea, at all, how to handle this properly.
Well if we want to get separation between the master and the agent
we will either need different entrypoints into the domain
(Scripts). Or we will need to build SELinux knowledge into
puppet.
Another solution would be to just make puppet into a single (very
powerful domain). One thing we have talked about with puppet was
to make i easy to extend puppetd policy to allow it to manage
certain domains. puppetd_t would be an unconfined domain but if
you disabled the unconfined module then you would use a tool like
sepolicy generate to generate policy modules for the domains
puppetd_t will be administrating.
Making puppet into a one giant super domain would be by far the
easiest, since it would also cover things like "puppet apply", where
puppet is used to run a puppet script file.
What's the right way for me to present a patch for this? Is there a
github or something for the current policy?
-Robin