Puppetserver SELinux context
52 views
Skip to first unread message
Jonathan Gazeley
Apr 27, 2016, 9:49:09 AM4/27/16
to puppet...@googlegroups.com
Hi folks,
I'm running Puppetserver 1.1.3 on CentOS 7 quite happily. I've just
started using check_jvm[1] with Nagios to monitor the vital signs of
Puppetserver. As you'd expect, SELinux initially stamped all over this
so I did the usual and used audit2allow to generate a policy:
[jg4461@puppet-prod ~]$ sudo cat /var/log/audit/audit.log | grep java |
audit2allow
#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t unconfined_service_t:process signull;
unconfined_service_t? Seems a bit odd, but it's true:
[jg4461@puppet-prod ~]$ ps -eZ | grep java
system_u:system_r:unconfined_service_t:s0 1677 ? 04:12:24 java
system_u:system_r:unconfined_service_t:s0 1692 ? 4-09:46:49 java
I'm quite happy with SELinux but I'm a real n00b at Java. Can anyone
explain how to I can set the context of PuppetServer and PuppetDB
(that's the other Java process on my system) so the PuppetServer process
is confined in a more sensible type that I can actually audit safely? I
don't want to let unconfined_service_t have permissions on my system.
Thanks,
Jonathan
[1]
https://exchange.nagios.org/directory/Plugins/Java-Applications-and-Servers/Apache-Tomcat/check_jvm/details
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
I'm running Puppetserver 1.1.3 on CentOS 7 quite happily. I've just
started using check_jvm[1] with Nagios to monitor the vital signs of
Puppetserver. As you'd expect, SELinux initially stamped all over this
so I did the usual and used audit2allow to generate a policy:
[jg4461@puppet-prod ~]$ sudo cat /var/log/audit/audit.log | grep java |
audit2allow
#============= nagios_services_plugin_t ==============
allow nagios_services_plugin_t unconfined_service_t:process signull;
unconfined_service_t? Seems a bit odd, but it's true:
[jg4461@puppet-prod ~]$ ps -eZ | grep java
system_u:system_r:unconfined_service_t:s0 1677 ? 04:12:24 java
system_u:system_r:unconfined_service_t:s0 1692 ? 4-09:46:49 java
I'm quite happy with SELinux but I'm a real n00b at Java. Can anyone
explain how to I can set the context of PuppetServer and PuppetDB
(that's the other Java process on my system) so the PuppetServer process
is confined in a more sensible type that I can actually audit safely? I
don't want to let unconfined_service_t have permissions on my system.
Thanks,
Jonathan
[1]
https://exchange.nagios.org/directory/Plugins/Java-Applications-and-Servers/Apache-Tomcat/check_jvm/details
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
Reply all
Reply to author
Forward
0 new messages