[colug-432] Puppet + Subversion + SELinux
Scott Merrill
skippy at skippy.net
Thu Feb 24 12:08:05 EST 2011
On Thu, Feb 24, 2011 at 11:59 AM, Joshua Kramer <josh at globalherald.net> wrote:
>
>> My questions are:
>> * is my policy too permissive?
>> * what alternatives might exist to this solution?
>> * are there any subtle gotchas that might cause trouble?
>
> It's been a while since I've dabbled in SELinux policy, and I don't know
> what Puppet is, but I have a question: can you install Puppet in a
> non-standard place? So, instead of putting its files in /etc/puppet, you
> might put the files in /opt/puppet/etc.
Puppet is a system configuration and management tool:
http://www.puppetlabs.com/puppet/introduction/
We're using the RPMs from EPEL (http://fedoraproject.org/wiki/EPEL)
because we specifically want to minimize the number of products we
deploy from source.
Puppet can be configured to look in a directory other than /etc/puppet
for its various files; but I suspect that the SELinux context issue
will still arise. Indeed, I did try placing the files in
/usr/local/puppet, and setting the context on that directory to
httpd_sys_content_t so that the post-commit hook could write to it.
While the puppetmaster daemon started, the audit log reported a number
of denials:
type=AVC msg=audit(1298560236.944:186278): avc: denied { search }
for pid=3254 comm="puppetmasterd" name="pki" dev=dm-0 ino=1703985
scontext=unconfined_u:system_r:puppetmaster_t:s0
tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1298560237.269:186279): avc: denied { getattr }
for pid=3254 comm="puppetmasterd"
path="/usr/local/puppet/manifests/site.pp" dev=dm-0 ino=5224
scontext=unconfined_u:system_r:puppetmaster_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
I don't know enough about SELinux (or Puppet, frankly) to know how
serious those messages are to the successful operation of the Puppet
system.
> I hesitate to put anything requiring special SELinux permissions in a
> standard system location. Having said that, I haven't spent enough time
> researching this, so it might be OK.
In generally, I agree, although I suspect we'll have more and more of
this as we embrace RHEL6 and SELinux.
And even if this specific app makes it easy to relocate files to avoid
any SELinux problems, not all apps will be so flexible, so this is
something I think we're going to need to learn sooner rather than
later.
More information about the colug-432
mailing list