1 |
You can use puppet to manage services (make sure they are running and in |
2 |
the proper runlevel). What I emailed you worked for me. |
3 |
exec_no_trans is required for rc-update |
4 |
|
5 |
type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans } |
6 |
for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033 |
7 |
scontext=system_u:system_r:puppet_t |
8 |
tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file |
9 |
|
10 |
I don't see selinux-puppet-2.20101213-r1 in the overlay. |
11 |
|
12 |
-- Matthew Thode |
13 |
|
14 |
On 7/11/11 7:17 AM, "Sven Vermeulen" <sven.vermeulen@××××××.be> wrote: |
15 |
|
16 |
>On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote: |
17 |
>> #============= puppet_t ============== |
18 |
>> allow puppet_t initrc_notrans_exec_t:file execute; |
19 |
>> allow puppet_t self:capability dac_read_search; |
20 |
> |
21 |
>These two I find a bit strange. When do you encounter the need for |
22 |
>initrc_notrans_exec_t execute rights? I guess you're running rc-status or |
23 |
>rc-update at that point? I can have it work using a puppet_t -> |
24 |
>puppet_initrc_notrans_t -> puppet_t transition set (like we do for |
25 |
>sysadm_t) |
26 |
>but this is not something you can do with audit2allow, so if the above was |
27 |
>sufficient to make things work... |
28 |
> |
29 |
>Also, the dac_read_search capability is something that allows a root user |
30 |
>to |
31 |
>read/search files, even if the owner of those files isn't root. In regular |
32 |
>DAC, this is "normal" (root can do everything) but not always necessary. |
33 |
>If |
34 |
>you do not allow this, what happens then? |
35 |
> |
36 |
>My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you |
37 |
>want to test things out, you can subscribe to the overlay or put the |
38 |
>necessary files in your own. |
39 |
> |
40 |
>[1] |
41 |
>https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6 |
42 |
>285189a1d9fa27/sec-policy/selinux-puppet |
43 |
> |
44 |
>Wkr, |
45 |
> Sven Vermeulen |
46 |
> |