[Pkg-puppet-devel] Bug#987255: puppet: needs an extra systemd config line to use the right SE Linux context
Russell Coker
russell at coker.com.au
Tue Apr 20 14:39:27 BST 2021
Package: puppet
Version: 5.5.22-2
Severity: normal
Tags: patch upstream
# ps axZ|grep pupp
system_u:system_r:initrc_t:s0 1603 ? Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent
Because the same program /usr/bin/puppet is used for starting the agent and the
master we can't get the correct SE Linux domain via an automatic domain
transition. So puppet ends up in initrc_t which is not the desired domain.
[Service]
SELinuxContext=system_u:system_r:puppet_t:s0
If the above is put in /lib/systemd/system/puppet.service then systemd will
assign the correct context if SE Linux is active and it will ignore it if SE
Linux is not active. There is no downside to this for people who don't use SE
Linux, but it is a benefit for those who do.
Currently SE Linux users need to run "systemctl edit puppet.service" to put an
override for this.
system_u:system_r:puppet_t:s0 1683 ? Ss 0:00 /usr/bin/ruby /usr/bin/puppet agent
The above is the desired result in the output of "ps axZ".
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages puppet depends on:
ii adduser 3.118
ii facter 3.14.12-1+b2
ii hiera 3.2.0-2.1
ii init-system-helpers 1.60
ii lsb-base 11.1.0
ii ruby 1:2.7+2
ii ruby-augeas 1:0.5.0-3+b8
ii ruby-deep-merge 1.1.1-1
ii ruby-shadow 2.5.0-1+b4
Versions of packages puppet recommends:
pn debconf-utils <none>
ii lsb-release 11.1.0
pn ruby-selinux <none>
Versions of packages puppet suggests:
pn ruby-hocon <none>
pn ruby-rrd <none>
-- no debconf information
More information about the Pkg-puppet-devel
mailing list