-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/03/2013 04:26 AM, Robin Lee Powell wrote: > On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote: >> On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> On 07/30/2013 03:09 AM, Robin Lee Powell wrote: >>>> On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote: >>>>> Could you please open a new bug with updated paths. >>>> >>>> If it was just a matter of changing paths, I wouldn't have bothered >>>> with the email :). >>>> >>>> What used to be puppetd is now run as "puppet agent", and what used >>>> to be run as puppetmasterd is now run as "puppet master". There are a >>>> bunch of other options too. >>>> >>>> This could, I guess, be fixed by having wrapper scripts to get to the >>>> old functions, but the systemd config does, in fact, do it the new >>>> way: ExecStart=/usr/bin/puppet master >>>> >>>> I have no idea, at all, how to handle this properly. >>> >>> Well if we want to get separation between the master and the agent we >>> will either need different entrypoints into the domain (Scripts). Or >>> we will need to build SELinux knowledge into puppet. >>> >>> Another solution would be to just make puppet into a single (very >>> powerful domain). One thing we have talked about with puppet was to >>> make i easy to extend puppetd policy to allow it to manage certain >>> domains. puppetd_t would be an unconfined domain but if you disabled >>> the unconfined module then you would use a tool like sepolicy generate >>> to generate policy modules for the domains puppetd_t will be >>> administrating. >> >> Making puppet into a one giant super domain would be by far the easiest, >> since it would also cover things like "puppet apply", where puppet is >> used to run a puppet script file. >> >> What's the right way for me to present a patch for this? Is there a >> github or something for the current policy? > > Help, please. Is there any docs on how to submit policy patches? > > -Robin > If we just change the label on /usr/bin/puppet to puppetmaster_exec_t what happens? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlH/wE4ACgkQrlYvE4MpobOmxQCgqii/Wbc5Bk0MeAfJMFcaJcMl z88AnjjVxJD5D7kEcFfqtpgNNCAo3bGm =v+hz -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
