-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/03/2013 04:26 AM, Robin Lee Powell wrote:
On Wed, Jul 31, 2013 at 10:57:31AM -0700, Robin Lee Powell wrote:
On Tue, Jul 30, 2013 at 08:01:43AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/30/2013 03:09 AM, Robin Lee Powell wrote:
On Tue, Jul 30, 2013 at 08:56:39AM +0200, Miroslav Grepl wrote:
Could you please open a new bug with updated paths.
If it was just a matter of changing paths, I wouldn't have bothered with the email :).
What used to be puppetd is now run as "puppet agent", and what used to be run as puppetmasterd is now run as "puppet master". There are a bunch of other options too.
This could, I guess, be fixed by having wrapper scripts to get to the old functions, but the systemd config does, in fact, do it the new way: ExecStart=/usr/bin/puppet master
I have no idea, at all, how to handle this properly.
Well if we want to get separation between the master and the agent we will either need different entrypoints into the domain (Scripts). Or we will need to build SELinux knowledge into puppet.
Another solution would be to just make puppet into a single (very powerful domain). One thing we have talked about with puppet was to make i easy to extend puppetd policy to allow it to manage certain domains. puppetd_t would be an unconfined domain but if you disabled the unconfined module then you would use a tool like sepolicy generate to generate policy modules for the domains puppetd_t will be administrating.
Making puppet into a one giant super domain would be by far the easiest, since it would also cover things like "puppet apply", where puppet is used to run a puppet script file.
What's the right way for me to present a patch for this? Is there a github or something for the current policy?
Help, please. Is there any docs on how to submit policy patches?
-Robin
If we just change the label on /usr/bin/puppet to puppetmaster_exec_t what happens?