From cd0c42668141249da27bf0fd1ad312efce3d21a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20M=E4kinen?= Date: Tue, 30 Oct 2012 12:00:49 +0200 Subject: [PATCH] SELinux fixes for puppetmaster data directories. --- puppet/manifests/init.pp | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/puppet/manifests/init.pp b/puppet/manifests/init.pp index f0fa9db..b1fba92 100644 --- a/puppet/manifests/init.pp +++ b/puppet/manifests/init.pp @@ -194,9 +194,11 @@ class puppet::server { class puppet::server::common inherits puppet::client { if $::operatingsystem == "CentOS" and $::operatingsystemrelease =~ /^[1-5]\..*/ { - $seltype = "var_lib_t" + $seltype_readonly = "var_lib_t" + $seltype_writable = "var_lib_t" } else { - $seltype = "puppet_var_lib_t" + $seltype_readonly = "puppetmaster_t" + $seltype_writable = "puppet_var_lib_t" } case $operatingsystem { @@ -294,17 +296,21 @@ class puppet::server::common inherits puppet::client { "openbsd" => "wheel", default => "root", }, - seltype => $seltype, + seltype => $seltype_readonly, require => Package["puppetmaster"], } selinux::manage_fcontext { "${puppet_datadir}(/.*)?": - type => $seltype, + type => $seltype_readonly, before => File[$puppet_datadir], } + selinux::manage_fcontext { "${puppet_datadir}/(bucket|reports|rrd)(/.*)?": + type => $seltype_writable, + before => File["/srv/puppet/reports"], + } file { "/srv/puppet": ensure => link, target => $puppet_datadir, - seltype => $seltype, + seltype => $seltype_readonly, require => File[$puppet_datadir], } } else { @@ -316,14 +322,18 @@ class puppet::server::common inherits puppet::client { "openbsd" => "wheel", default => "root", }, - seltype => $seltype, + seltype => $seltype_readonly, require => Package["puppetmaster"], } } selinux::manage_fcontext { "/srv/puppet(/.*)?": - type => $seltype, + type => $seltype_readonly, before => File["/srv/puppet"], } + selinux::manage_fcontext { "/srv/puppet/(bucket|reports|rrd)(/.*)?": + type => $seltype_writable, + before => File["/srv/puppet/reports"], + } if $puppet_storeconfigs != "none" { file { "/srv/puppet/storeconfigs": @@ -331,7 +341,7 @@ class puppet::server::common inherits puppet::client { mode => "0750", owner => $user, group => $group, - seltype => $seltype, + seltype => $seltype_readonly, require => File["/srv/puppet"], } } @@ -342,7 +352,7 @@ class puppet::server::common inherits puppet::client { mode => "0750", owner => $user, group => $group, - seltype => $seltype, + seltype => $seltype_writable, require => File["/srv/puppet"], } file { [ "/srv/puppet/files", @@ -354,7 +364,7 @@ class puppet::server::common inherits puppet::client { "openbsd" => "wheel", default => "root", }, - seltype => $seltype, + seltype => $seltype_readonly, require => File["/srv/puppet"], } file { "/srv/puppet/files/common": @@ -365,7 +375,7 @@ class puppet::server::common inherits puppet::client { "openbsd" => "wheel", default => "root", }, - seltype => $seltype, + seltype => $seltype_readonly, require => File["/srv/puppet/files"], } file { "/srv/puppet/files/private": @@ -373,7 +383,7 @@ class puppet::server::common inherits puppet::client { mode => "0750", owner => "root", group => $group, - seltype => $seltype, + seltype => $seltype_readonly, require => File["/srv/puppet/files"], }