I am working on the initial version of SELinux policy for Foreman Proxy.
The first bigger issue I have is wide use of sudo. We use it to "get
out" of the foreman-proxy user account:
for IPMI operations (this is fair use although it would be ideal to
get rid of this)
virsh (valid for libvirt root access)
puppetrun (we use root which is not optimal)
puppetca (we use root which is not optimal)
I think for the latter two cases we should change not to root account
but to puppet account which would be perfectly valid for those
operations I think.
>
> Guys,
>
> I am working on the initial version of SELinux policy for Foreman Proxy.
> The first bigger issue I have is wide use of sudo. We use it to "get
> out" of the foreman-proxy user account:
>
> - for IPMI operations (this is fair use although it would be ideal to
> get rid of this)
> - virsh (valid for libvirt root access)
> - puppetrun (we use root which is not optimal)
Puppet needs to run as root AFAIK
> - puppetca (we use root which is not optimal)
>
> I think for the latter two cases we should change not to root account
> but to puppet account which would be perfectly valid for those
> operations I think.
>
> –
> Later,
> Lukas #lzap Zapletal
>
> –
> You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
···
On Aug 12, 2014 5:03 PM, "Lukas Zapletal" wrote:
> For more options, visit https://groups.google.com/d/optout.
> > - for IPMI operations (this is fair use although it would be ideal to
> > get rid of this)
> > - virsh (valid for libvirt root access)
> > - puppetrun (we use root which is not optimal)
> Puppet needs to run as root AFAIK
>
> > - puppetca (we use root which is not optimal)
On the client, yes. Thats outside of my scope.
The problematic domain is puppetca when proxy issues something like:
sudo puppet ca --list --all
I guess this could be executed as puppet user and not as root user,
right?
Does Foreman ship with default sudo configuration for any command/proxy
feature?