We are rolling out update of Puppet to 3.4.3 in Fedora 20 and Rawhide that
adds one important change. We have found that puppet master was running
unconfined, therefore the Puppet SELinux policy was not effective in Fedoras.
The puppet package update fixes one little issue (missing runtime dependency) and
corrects startup wrappers for systemd which puts Puppet Master into
correct SELinux domain puppetmaster_t. Since this has low security impact, we
have decided to backport this change into Fedora 20 too. Another reason is
the change in selinux-policy package in Fedora 20 which allows us to backport
the changes into EPEL7.
SELinux core puppet policy was refactored in paralel so we have now
puppetmaster_t and puppetagent_t domains which reflects the state much better.
Previously puppet agent was running under puppet_t confined domain, now it
runs under puppetagent_t domain. Also the agent has loosed security rules
which is great improvement too.
When upgrading make sure you have the correct versions on the mirror (this got
pushed just hours ago):
puppet 3.4.3-3.fc20 or higher
policy 3.12.1-153.fc20 or higher
Restart puppetmaster, agent and watch for denials. Report success and failures
please.
grep AVC /var/log/audit/audit.log
Let's make sure we have rock solid version of Puppet hardened with SELinux in
the best quality possible in EPEL7 (we will likely rebase EPEL7 version based on
this one).
I did some initial testing last couple of days and it works just fine.
the selinux-policy update is now in F20 stable repos, puppet update is
ready to be pushed.
While I tested this and it works fine for me, this update actually makes SELinux effective on Puppet Master. I have one extra karma
from Fedora community, but I'd appreciate more testing.
Please let me know if you need help with testing. If you want decent
SELinux in EPEL7 Puppet, please test this. Thanks.
LZ
···
On Tue, Apr 15, 2014 at 11:55:59AM +0200, Lukas Zapletal wrote:
> Hello all
>
> We are rolling out update of Puppet to 3.4.3 in Fedora 20 and Rawhide that
> adds one important change. We have found that puppet master was running
> unconfined, therefore the Puppet SELinux policy was not effective in Fedoras.
>
> The puppet package update fixes one little issue (missing runtime dependency) and
> corrects startup wrappers for systemd which puts Puppet Master into
> correct SELinux domain puppetmaster_t. Since this has low security impact, we
> have decided to backport this change into Fedora 20 too. Another reason is
> the change in selinux-policy package in Fedora 20 which allows us to backport
> the changes into EPEL7.
>
> - https://admin.fedoraproject.org/updates/puppet-3.4.3-3.fc20
> - https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20
>
> SELinux core puppet policy was refactored in paralel so we have now
> puppetmaster_t and puppetagent_t domains which reflects the state much better.
> Previously puppet agent was running under puppet_t confined domain, now it
> runs under puppetagent_t domain. Also the agent has loosed security rules
> which is great improvement too.
>
> To update your host do the following:
>
> yum --enablerepo=updates-testing update selinux-policy puppet puppet-server
>
> When upgrading make sure you have the correct versions on the mirror (this got
> pushed just hours ago):
>
> - puppet 3.4.3-3.fc20 or higher
> - policy 3.12.1-153.fc20 or higher
>
> Restart puppetmaster, agent and watch for denials. Report success and failures
> please.
>
> grep AVC /var/log/audit/audit.log
>
> Let's make sure we have rock solid version of Puppet hardened with SELinux in
> the best quality possible in EPEL7 (we will likely rebase EPEL7 version based on
> this one).
>
> I did some initial testing last couple of days and it works just fine.
>
> Thanks for help!
>
> --
> Later,
>
> Lukas "lzap" Zapletal
> irc: lzap #theforeman
>
> --
> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
