You can use puppet to manage services (make sure they are running and in
the proper runlevel). What I emailed you worked for me.
exec_no_trans is required for rc-update
type=AVC msg=audit(1310333942.567:429): avc: denied { execute_no_trans }
for pid=31986 comm="puppetd" path="/sbin/rc-update" dev=vda3 ino=7033
scontext=system_u:system_r:puppet_t
tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file
I don't see selinux-puppet-2.20101213-r1 in the overlay.
-- Matthew Thode
On 7/11/11 7:17 AM, "Sven Vermeulen" <[email protected]> wrote:
>On Sun, Jul 10, 2011 at 04:49:15PM -0500, Matthew Thode wrote:
>> #============= puppet_t ==============
>> allow puppet_t initrc_notrans_exec_t:file execute;
>> allow puppet_t self:capability dac_read_search;
>
>These two I find a bit strange. When do you encounter the need for
>initrc_notrans_exec_t execute rights? I guess you're running rc-status or
>rc-update at that point? I can have it work using a puppet_t ->
>puppet_initrc_notrans_t -> puppet_t transition set (like we do for
>sysadm_t)
>but this is not something you can do with audit2allow, so if the above was
>sufficient to make things work...
>
>Also, the dac_read_search capability is something that allows a root user
>to
>read/search files, even if the owner of those files isn't root. In regular
>DAC, this is "normal" (root can do everything) but not always necessary.
>If
>you do not allow this, what happens then?
>
>My overlay contains sec-policy/selinux-puppet-2.20101213-r1 [1] so if you
>want to test things out, you can subscribe to the overlay or put the
>necessary files in your own.
>
>[1]
>https://github.com/sjvermeu/gentoo.overlay/tree/7e3e3e56a7eb822ed57cc3f3d6
>285189a1d9fa27/sec-policy/selinux-puppet
>
>Wkr,
> Sven Vermeulen
>
