Puppet Enterprise + SELinux
169 views
Skip to first unread message
Thomas Müller
Mar 24, 2016, 5:16:17 AM3/24/16
to Puppet Users
Hi
Does Puppet Enterprise support running puppet agent selinux confined?
Seems at least EL6 and EL7 provide types but it seems pe-agent is not using them as they are started in initrc_t (EL6) or unconfined_service_t (EL7).
I can't find documentation about this topic on docs.puppetlabs.com .
The problem with selinux policy enforced is (at least on EL6), that it has some AVC logged when puppet tries to manage confined services (like sshd) as puppet causes tmp-files created with wrong context (initrc_tmp_t instead of puppet_tmp_t).
- Thomas
types on EL7
# seinfo -t | grep pupp
puppet_var_lib_t
puppet_var_run_t
puppetca_exec_t
puppetmaster_tmp_t
puppet_client_packet_t
puppetagent_exec_t
puppet_port_t
puppetagent_t
puppet_etc_t
puppet_log_t
puppetmaster_initrc_exec_t
puppetmaster_exec_t
puppetmaster_t
puppetagent_initrc_exec_t
puppet_server_packet_t
puppet_tmp_t
puppetca_tAVC on EL6
type=AVC msg=audit(1111111111.111:123): avc: denied { write } for pid=123 comm="sshd" path="/tmp/puppet20160301-123-123q1xb" dev=dm-1 ino=3 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=fileQuick fix:
# will be reset with restorecon -rv or "touch /.autorelabel" and reboot
# only a temp solution
# EL6
chcon -t puppet_initrc_exec_t /etc/init.d/pe-puppet
chcon -t puppet_exec_t /opt/puppet/bin/puppet
# EL7
chcon -t puppetagent_exec_t /opt/puppet/bin/puppet
# both
service pe-puppet restart
jcbollinger
Mar 24, 2016, 9:31:01 AM3/24/16
to Puppet Users
On Thursday, March 24, 2016 at 4:16:17 AM UTC-5, Thomas Müller wrote:
HiDoes Puppet Enterprise support running puppet agent selinux confined?Seems at least EL6 and EL7 provide types but it seems pe-agent is not using them as they are started in initrc_t (EL6) or unconfined_service_t (EL7).I can't find documentation about this topic on docs.puppetlabs.com .The problem with selinux policy enforced is (at least on EL6), that it has some AVC logged when puppet tries to manage confined services (like sshd) as puppet causes tmp-files created with wrong context (initrc_tmp_t instead of puppet_tmp_t).
I am uncertain whether PE provides a knob by which you can cause agents to run constrained, but of course there's nothing inherently preventing you from making that happen one way or another. But what policy will you then enforce?
Depending on the catalogs served to it, the agent might be instructed to create, delete, or modify any file on the file system (including editing SELinux attributes), run any external program, start or stop any service, install software, etc.. Running the agent in a context that is not effectively unconstrained would limit those capabilities in a manner that the agent itself has no reason to expect. Limiting capabilities is of course the point, but the agent having no visibility into the constraints it is working under makes for a bit of an impedance mismatch. For that reason I would not be too surprised to hear that PE is without a built-in mechanism for running the agent constrained.
That doesn't seem like a deal-killer to me, but I do think you may be asking for a bigger management hassle than you realize.
John
Thomas Müller
Mar 24, 2016, 9:50:24 AM3/24/16
to Puppet Users
Am Donnerstag, 24. März 2016 14:31:01 UTC+1 schrieb jcbollinger:
On Thursday, March 24, 2016 at 4:16:17 AM UTC-5, Thomas Müller wrote:HiDoes Puppet Enterprise support running puppet agent selinux confined?Seems at least EL6 and EL7 provide types but it seems pe-agent is not using them as they are started in initrc_t (EL6) or unconfined_service_t (EL7).I can't find documentation about this topic on docs.puppetlabs.com .The problem with selinux policy enforced is (at least on EL6), that it has some AVC logged when puppet tries to manage confined services (like sshd) as puppet causes tmp-files created with wrong context (initrc_tmp_t instead of puppet_tmp_t).
I am uncertain whether PE provides a knob by which you can cause agents to run constrained, but of course there's nothing inherently preventing you from making that happen one way or another. But what policy will you then enforce?
it's not about enforcing a policy on puppet. its about the interaction of other services running confined. If puppet runs in initrc_t it will create some files with contexts not accessible by confined services. whereas if the process runs as puppet_t it has already lots of access rules defined.
- Thomas
Trevor Vaughan
Mar 24, 2016, 9:50:35 AM3/24/16
to puppet...@googlegroups.com
Hi Thomas,
This looks like a bug in the installation RPM. I would file a bug against PE with your proposed fix as it looks correct and should be part of the RPM post installation.
Trevor
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d9b65399-bc63-4509-bb2e-2d345350a91e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
Vice President, Onyx Point, Inc
(410) 541-6699
-- This account not approved for unencrypted proprietary information --
Reply all
Reply to author
Forward
0 new messages