SELinux fixes for puppetmaster data directories.

2012-10-30 12:00:49 +02:00 · 2012-10-30 12:00:49 +02:00 · cd0c426681
commit cd0c426681
parent 2555300994
1 changed files with 22 additions and 12 deletions
--- a/puppet/manifests/init.pp
+++ b/puppet/manifests/init.pp
@ -194,9 +194,11 @@ class puppet::server {
 class puppet::server::common inherits puppet::client {
    if $::operatingsystem == "CentOS" and $::operatingsystemrelease =~ /^[1-5]\..*/ {
-        $seltype = "var_lib_t"
+        $seltype_readonly = "var_lib_t"
        $seltype_writable = "var_lib_t"
    } else {
-        $seltype = "puppet_var_lib_t"
+        $seltype_readonly = "puppetmaster_t"
        $seltype_writable = "puppet_var_lib_t"
    }
    case $operatingsystem {
@ -294,17 +296,21 @@ class puppet::server::common inherits puppet::client {
                "openbsd" => "wheel",
                default   => "root",
            },
-            seltype => $seltype,
+            seltype => $seltype_readonly,
            require => Package["puppetmaster"],
        }
        selinux::manage_fcontext { "${puppet_datadir}(/.*)?":
-            type   => $seltype,
+            type   => $seltype_readonly,
            before => File[$puppet_datadir],
        }
        selinux::manage_fcontext { "${puppet_datadir}/(bucket|reports|rrd)(/.*)?":
            type   => $seltype_writable,
            before => File["/srv/puppet/reports"],
        }
        file { "/srv/puppet":
            ensure  => link,
            target  => $puppet_datadir,
-            seltype => $seltype,
+            seltype => $seltype_readonly,
            require => File[$puppet_datadir],
        }
    } else {
@ -316,14 +322,18 @@ class puppet::server::common inherits puppet::client {
                "openbsd" => "wheel",
                default   => "root",
            },
-            seltype => $seltype,
+            seltype => $seltype_readonly,
            require => Package["puppetmaster"],
        }
    }
    selinux::manage_fcontext { "/srv/puppet(/.*)?":
-        type   => $seltype,
+        type   => $seltype_readonly,
        before => File["/srv/puppet"],
    }
    selinux::manage_fcontext { "/srv/puppet/(bucket|reports|rrd)(/.*)?":
        type   => $seltype_writable,
        before => File["/srv/puppet/reports"],
    }
    if $puppet_storeconfigs != "none" {
        file { "/srv/puppet/storeconfigs":
@ -331,7 +341,7 @@ class puppet::server::common inherits puppet::client {
            mode    => "0750",
            owner   => $user,
            group   => $group,
-            seltype => $seltype,
+            seltype => $seltype_readonly,
            require => File["/srv/puppet"],
        }
    }
@ -342,7 +352,7 @@ class puppet::server::common inherits puppet::client {
        mode    => "0750",
        owner   => $user,
        group   => $group,
-        seltype => $seltype,
+        seltype => $seltype_writable,
        require => File["/srv/puppet"],
    }
    file { [ "/srv/puppet/files",
@ -354,7 +364,7 @@ class puppet::server::common inherits puppet::client {
            "openbsd" => "wheel",
            default   => "root",
        },
-        seltype => $seltype,
+        seltype => $seltype_readonly,
        require => File["/srv/puppet"],
    }
    file { "/srv/puppet/files/common":
@ -365,7 +375,7 @@ class puppet::server::common inherits puppet::client {
            "openbsd" => "wheel",
            default   => "root",
        },
-        seltype => $seltype,
+        seltype => $seltype_readonly,
        require => File["/srv/puppet/files"],
    }
    file { "/srv/puppet/files/private":
@ -373,7 +383,7 @@ class puppet::server::common inherits puppet::client {
        mode    => "0750",
        owner   => "root",
        group   => $group,
-        seltype => $seltype,
+        seltype => $seltype_readonly,
        require => File["/srv/puppet/files"],
    }