On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > On 07/30/2013 03:09 AM, Robin Lee Powell wrote: > > On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote: > >> Could you please open a new bug with updated paths. > > > > If it was just a matter of changing paths, I wouldn't have > > bothered with the email :). > > > > What used to be puppetd is now run as "puppet agent", and what > > used to be run as puppetmasterd is now run as "puppet master". > > There are a bunch of other options too. > > > > This could, I guess, be fixed by having wrapper scripts to get > > to the old functions, but the systemd config does, in fact, do > > it the new way: ExecStart=/usr/bin/puppet master > > > > I have no idea, at all, how to handle this properly. > > Well if we want to get separation between the master and the agent > we will either need different entrypoints into the domain > (Scripts). Or we will need to build SELinux knowledge into > puppet. > > Another solution would be to just make puppet into a single (very > powerful domain). One thing we have talked about with puppet was > to make i easy to extend puppetd policy to allow it to manage > certain domains. puppetd_t would be an unconfined domain but if > you disabled the unconfined module then you would use a tool like > sepolicy generate to generate policy modules for the domains > puppetd_t will be administrating. Making puppet into a one giant super domain would be by far the easiest, since it would also cover things like "puppet apply", where puppet is used to run a puppet script file. What's the right way for me to present a patch for this? Is there a github or something for the current policy? -Robin -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
