Puppet users - Apr 2008 - Selinux policy for puppet

Andreas-

On Thu, Apr 3, 2008 at 8:31 AM, Andreas Rogge <a.rogge@solvention.de>
wrote:
> Do you have SELinux enabled? When starting puppet from init.d with SELinux
enabled it runs in xinitrc_t while it should (at least imo) run in unconfined_t.
Running in xinitrc_t lead to *really* strange things. Everything way fixed once
I deployed a policy that made puppetd run in unconfined_t.
>
Would you mind sharing you selinux policies for puppet? That would be
one less app I will have to figure selinux out for. Also if it is okay
with you I''d like to add it to the wiki for the rest of the puppetters
with selinux issues.

Evan

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Evan,

I''ve attached my policy sourcefiles. As this isn''t worth
anything (it is
not even 10 lines of policy code) you can do with it whatever you want. 
(The puppet.if was intentionally left blank, the policy Makefile will 
complain if it is missing)

Building the policy is a simple make -f 
/usr/share/selinux/devel/Makefile which will generate a puppet.pp 
(Beware: this is .pp as in "Policy Package" and has nothing to do with
puppet''s *.pp) which can then be loaded using semodule.

  However there are a few things to consider:

1. It is somewhat insecure
Due to the nature of puppet you have to allow it everything (i.e. 
running it in unconfined_t). After all that means if someone hacks 
puppet it won''t be confined by SELinux at all.

2. You have to deploy the policy somehow
We do the deployment using an arcane puppet class - I don''t really want
to share that, because it sucks too much.

3. You have to ensure the context of your puppet binary
this could be achieved with something like
exec { "restorecon-puppetd":
	command => "restorecon /usr/sbin/puppetd",
	onlyif	=> "restorecon -nv /usr/sbin/puppetd | grep
''^restorecon''",
}

4. You have to restart puppet using init.d from unconfined_t
 From what I''ve seen you have to stop and start puppet from a session 
that''s inside unconfined_t to make the domain transition work. A
restart
from within puppet didn''t work work for me.
After all I wrote a really ugly puppet exec that schedules the restart 
with "at" - this seemed to work so far, but I don''t really
like it

5. Ordering is crucial
You must keep things ordered correctly:
- load the module
- restore the context of /usr/sbin/puppetd
- restart puppetd

6. It is mainly untested
I use this policy on only five machines, all running CentOS 5. It isn''t
tested for anything else, but I expect it to work for at least RHEL 5 
and current Fedora releases.

7. It probably won''t work with anything but the targeted policy


Andreas

Evan Hisey schrieb:
> Andreas-
> 
> On Thu, Apr 3, 2008 at 8:31 AM, Andreas Rogge <a.rogge@solvention.de>
wrote:
>> Do you have SELinux enabled? When starting puppet from init.d with
SELinux enabled it runs in xinitrc_t while it should (at least imo) run in
unconfined_t. Running in xinitrc_t lead to *really* strange things. Everything
way fixed once I deployed a policy that made puppetd run in unconfined_t.
>>
> Would you mind sharing you selinux policies for puppet? That would be
> one less app I will have to figure selinux out for. Also if it is okay
> with you I''d like to add it to the wiki for the rest of the
puppetters
> with selinux issues.
> 
> Evan
> 
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com
> To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> -~----------~----~----~----~------~----~------~--~---
> 
-- 
Solvention
Egermannstr. 6-8
53359 Rheinbach

Tel: +49 2226 158179-0
Fax: +49 2226 158179-9

http://www.solvention.de
mailto:info@solvention.de

Andreas

2008/4/3 Andreas Rogge <a.rogge@solvention.de>:
> Evan,
>
>  I''ve attached my policy sourcefiles. As this isn''t worth
anything (it is
> not even 10 lines of policy code) you can do with it whatever you want.
(The
> puppet.if was intentionally left blank, the policy Makefile will complain
if
> it is missing)
 Thanks. Not worth much for your shop, but it can still save time and
headaches for the rest of us.
>
>   However there are a few things to consider:
>
>  1. It is somewhat insecure
>  Due to the nature of puppet you have to allow it everything (i.e. running
> it in unconfined_t). After all that means if someone hacks puppet it
won''t
> be confined by SELinux at all.
This Better than running the whole system that way. Which is currently
the situation I have.
>
>  5. Ordering is crucial
>  You must keep things ordered correctly:
>  - load the module
>  - restore the context of /usr/sbin/puppetd
>  - restart puppetd
Good thing to know.
>  6. It is mainly untested
>  I use this policy on only five machines, all running CentOS 5. It
isn''t
> tested for anything else, but I expect it to work for at least RHEL 5 and
> current Fedora releases.
Going to be using it on CentOS 5. So this is nice.



Evan

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---