Proxy, sudo and SELinux

Guys,

I am working on the initial version of SELinux policy for Foreman Proxy.
The first bigger issue I have is wide use of sudo. We use it to "get
out" of the foreman-proxy user account:

  • for IPMI operations (this is fair use although it would be ideal to
    get rid of this)
  • virsh (valid for libvirt root access)
  • puppetrun (we use root which is not optimal)
  • puppetca (we use root which is not optimal)

I think for the latter two cases we should change not to root account
but to puppet account which would be perfectly valid for those
operations I think.

··· -- Later, Lukas #lzap Zapletal

>
> Guys,
>
> I am working on the initial version of SELinux policy for Foreman Proxy.
> The first bigger issue I have is wide use of sudo. We use it to "get
> out" of the foreman-proxy user account:
>
> - for IPMI operations (this is fair use although it would be ideal to
> get rid of this)
> - virsh (valid for libvirt root access)
> - puppetrun (we use root which is not optimal)
Puppet needs to run as root AFAIK

> - puppetca (we use root which is not optimal)
>
> I think for the latter two cases we should change not to root account
> but to puppet account which would be perfectly valid for those
> operations I think.
>

> –
> Later,
> Lukas #lzap Zapletal
>
> –
> You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.

··· On Aug 12, 2014 5:03 PM, "Lukas Zapletal" wrote: > For more options, visit https://groups.google.com/d/optout.

> > - for IPMI operations (this is fair use although it would be ideal to
> > get rid of this)
> > - virsh (valid for libvirt root access)
> > - puppetrun (we use root which is not optimal)
> Puppet needs to run as root AFAIK
>
> > - puppetca (we use root which is not optimal)

On the client, yes. Thats outside of my scope.

The problematic domain is puppetca when proxy issues something like:

sudo puppet ca --list --all

I guess this could be executed as puppet user and not as root user,
right?

Does Foreman ship with default sudo configuration for any command/proxy
feature?

··· -- Later, Lukas #lzap Zapletal