-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/03/2013 04:26 AM, Robin Lee Powell wrote:
On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote:
> On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
>>> On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
>>>> Could you please open a new bug with updated paths.
>>>
>>> If it was just a matter of changing paths, I wouldn't have bothered
>>> with the email :).
>>>
>>> What used to be puppetd is now run as "puppet agent", and what
used
>>> to be run as puppetmasterd is now run as "puppet master". There are
a
>>> bunch of other options too.
>>>
>>> This could, I guess, be fixed by having wrapper scripts to get to the
>>> old functions, but the systemd config does, in fact, do it the new
>>> way: ExecStart=/usr/bin/puppet master
>>>
>>> I have no idea, at all, how to handle this properly.
>>
>> Well if we want to get separation between the master and the agent we
>> will either need different entrypoints into the domain (Scripts). Or
>> we will need to build SELinux knowledge into puppet.
>>
>> Another solution would be to just make puppet into a single (very
>> powerful domain). One thing we have talked about with puppet was to
>> make i easy to extend puppetd policy to allow it to manage certain
>> domains. puppetd_t would be an unconfined domain but if you disabled
>> the unconfined module then you would use a tool like sepolicy generate
>> to generate policy modules for the domains puppetd_t will be
>> administrating.
>
> Making puppet into a one giant super domain would be by far the easiest,
> since it would also cover things like "puppet apply", where puppet is
> used to run a puppet script file.
>
> What's the right way for me to present a patch for this? Is there a
> github or something for the current policy?
Help, please. Is there any docs on how to submit policy patches?
-Robin
If we just change the label on /usr/bin/puppet to puppetmaster_exec_t what
happens?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlH/wE4ACgkQrlYvE4MpobOmxQCgqii/Wbc5Bk0MeAfJMFcaJcMl
z88AnjjVxJD5D7kEcFfqtpgNNCAo3bGm
=v+hz
-----END PGP SIGNATURE-----