-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/30/2013 03:09 AM, Robin Lee Powell wrote: > On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote: >> Could you please open a new bug with updated paths. > > If it was just a matter of changing paths, I wouldn't have bothered with > the email :). > > What used to be puppetd is now run as "puppet agent", and what used to be > run as puppetmasterd is now run as "puppet master". There are a bunch of > other options too. > > This could, I guess, be fixed by having wrapper scripts to get to the old > functions, but the systemd config does, in fact, do it the new way: > ExecStart=/usr/bin/puppet master > > I have no idea, at all, how to handle this properly. > > -Robin -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > Well if we want to get separation between the master and the agent we will either need different entrypoints into the domain (Scripts). Or we will need to build SELinux knowledge into puppet. Another solution would be to just make puppet into a single (very powerful domain). One thing we have talked about with puppet was to make i easy to extend puppetd policy to allow it to manage certain domains. puppetd_t would be an unconfined domain but if you disabled the unconfined module then you would use a tool like sepolicy generate to generate policy modules for the domains puppetd_t will be administrating. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlH3qycACgkQrlYvE4MpobPq3QCfRf8X9DMUY/vEanwj0ErtEb4w wJUAn2vSyGVXwuis7Ycc1saFPF7RWKC+ =NHHQ -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux