[Pkg-puppet-devel] Bug#987254: puppet-master: needs an extra systemd config line to use the right SE Linux context
Russell Coker
russell at coker.com.au
Tue Apr 20 14:05:56 BST 2021
Package: puppet-master
Version: 5.5.22-2
Severity: normal
Tags: patch upstream
# ps axZ|grep pupp
system_u:system_r:initrc_t:s0 1351 ? Ssl 0:00 /usr/bin/ruby /usr/bin/puppet master
Because the same program /usr/bin/puppet is used for starting the agent and the
master we can't get the correct SE Linux domain via an automatic domain
transition. So puppet ends up in initrc_t which is not the desired domain.
[Service]
SELinuxContext=system_u:system_r:puppetmaster_t:s0
If the above is put in /lib/systemd/system/puppet-master.service then systemd
will assign the correct context if SE Linux is active and it will ignore it if
SE Linux is not active. There is no downside to this for people who don't use
SE Linux, but it is a benefit for those who do.
Currently SE Linux users need to run "systemctl edit puppet-master.service" to
put an override for this.
system_u:system_r:puppetmaster_t:s0 2668 ? Ssl 0:00 /usr/bin/ruby /usr/bin/puppet master
The above is the desired result in the output of "ps axZ".
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages puppet-master depends on:
ii init-system-helpers 1.60
ii lsb-base 11.1.0
ii puppet 5.5.22-2
ii ruby 1:2.7+2
puppet-master recommends no packages.
puppet-master suggests no packages.
-- no debconf information
More information about the Pkg-puppet-devel
mailing list