From 9ae45e3fef24617254cc2991a5463b43c9ad5865 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 21 Nov 2014 10:54:27 +0200 Subject: [PATCH 1/3] bacula: Sync SELinux contexts with CentOS 6.6 and change mail command to use bacula's own bsmtp to prevent SELinux errors. --- bacula/manifests/init.pp | 8 ++++---- bacula/templates/bacula-dir.conf.erb | 4 ++-- bacula/templates/bacula-sd.conf.erb | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bacula/manifests/init.pp b/bacula/manifests/init.pp index 7265230..efc83fe 100644 --- a/bacula/manifests/init.pp +++ b/bacula/manifests/init.pp @@ -215,11 +215,11 @@ class bacula::director($password=undef, mode => "0770", owner => "bacula", group => "bacula", - seltype => "var_spool_t", + seltype => "bacula_spool_t", require => Package["bacula-director"], } selinux::manage_fcontext { "${datadir}(/.*)?": - type => "var_spool_t", + type => "bacula_spool_t", before => File[$datadir], } if $datadir != "/srv/bacula" { @@ -228,11 +228,11 @@ class bacula::director($password=undef, target => $datadir, owner => "bacula", group => "bacula", - seltype => "var_spool_t", + seltype => "bacula_spool_t", require => File[$datadir], } selinux::manage_fcontext { "/srv/bacula(/.*)?": - type => "var_spool_t", + type => "bacula_spool_t", before => File[$datadir], } } diff --git a/bacula/templates/bacula-dir.conf.erb b/bacula/templates/bacula-dir.conf.erb index 382e776..9a93566 100644 --- a/bacula/templates/bacula-dir.conf.erb +++ b/bacula/templates/bacula-dir.conf.erb @@ -15,8 +15,8 @@ Director { Messages { Name = "Standard" - MailCommand = "mail -s \"Bacula Message\" %r" - OperatorCommand = "mail -s \"Bacula Operator Message\" %r" + MailCommand = "bsmtp -h <%= @mail_server %> -s \"Bacula Message\" %r" + OperatorCommand = "bsmtp -h <%= @mail_server %> -s \"Bacula Operator Message\" %r" mail = root = all, !skipped operator = root = mount append = "/var/log/bacula/bacula.log" = all, !skipped diff --git a/bacula/templates/bacula-sd.conf.erb b/bacula/templates/bacula-sd.conf.erb index e9ea737..e785dfc 100644 --- a/bacula/templates/bacula-sd.conf.erb +++ b/bacula/templates/bacula-sd.conf.erb @@ -24,8 +24,8 @@ Director { Messages { Name = "Standard" - MailCommand = "mail -s \"Bacula Message\" %r" - OperatorCommand = "mail -s \"Bacula Operator Message\" %r" + MailCommand = "bsmtp -h <%= @mail_server %> -s \"Bacula Message\" %r" + OperatorCommand = "bsmtp -h <%= @mail_server %> -s \"Bacula Operator Message\" %r" mail = root = all, !skipped, !info operator = root = mount director = bacula-dir = all From 6b4ab40c939f54e9585f4f97f2ddda68ffeb8d25 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 27 Nov 2014 09:32:56 +0200 Subject: [PATCH 2/3] puppet: Workaround for broken find (too many open files) for puppet-report-cleanup --- puppet/templates/puppet-report-cleanup.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/templates/puppet-report-cleanup.erb b/puppet/templates/puppet-report-cleanup.erb index 5a6607d..c41c96c 100755 --- a/puppet/templates/puppet-report-cleanup.erb +++ b/puppet/templates/puppet-report-cleanup.erb @@ -6,6 +6,6 @@ if [ "`whoami`" = "root" ]; then fi find /srv/puppet/reports/ -xdev -mindepth 2 -type f -mtime +<%= @puppet_report_maxage %> \ - -name '*.yaml.gz' -execdir rm -f -- {} \; + -name '*.yaml.gz' -execdir rm -f -- {} \<% if @kernel == 'Linux' %>+<% else %>;<% end %> find /srv/puppet/reports/ -xdev -mindepth 2 -type f -mtime +1 \ - -name '*.yaml' -execdir gzip -- {} \; + -name '*.yaml' -execdir gzip -- {} \<% if @kernel == 'Linux' %>+<% else %>;<% end %> From 15bb080b463962fd986049daa278f2c971b06dbb Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Thu, 27 Nov 2014 15:15:51 +0200 Subject: [PATCH 3/3] sasl: Do not run saslauthd as root on centos/fedora/rhel --- sasl/manifests/init.pp | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/sasl/manifests/init.pp b/sasl/manifests/init.pp index c3d9840..00816e0 100644 --- a/sasl/manifests/init.pp +++ b/sasl/manifests/init.pp @@ -39,6 +39,10 @@ class sasl::client { # # For ldap authentication, see ldap::client for required global variables. # +# When using kerberos5 mech on CentOS, Fedora or RedHat system +# the saslauthd is ran as saslauth user and uses host/$FQDN from +# /etc/saslauthd.keytab for authentication. +# class sasl::saslauthd { require sasl::client @@ -55,6 +59,7 @@ class sasl::saslauthd { changes => "set MECH ldap", notify => Service["saslauthd"], } + $user = "saslauth" } "openbsd": { Service["saslauthd"] { @@ -87,9 +92,12 @@ class sasl::saslauthd { "centos","fedora","redhat": { augeas { "set-saslauthd-mech": context => "/files/etc/sysconfig/saslauthd", - changes => "set MECH kerberos5", + changes => [ "set MECH kerberos5", + "set KRB5_KTNAME '\"/etc/saslauthd.keytab\"'", + "set @export KRB5_KTNAME", ], notify => Service["saslauthd"], } + $user = "saslauth" } "openbsd": { Service["saslauthd"] { @@ -118,6 +126,30 @@ class sasl::saslauthd { } } + if $user { + case $::operatingsystem { + "centos","fedora","redhat": { + file { "/var/run/saslauthd": + ensure => directory, + mode => "0755", + owner => $user, + group => $user, + before => Service["saslauthd"], + } + augeas { "set-saslauthd-user": + context => "/files/etc/sysconfig/saslauthd", + changes => "set DAEMONOPTS '\"--user ${user}\"'", + notify => Service["saslauthd"], + } + } + default: { + fail("Running saslauthd as non root not supported on ${::operatingsystem}") + } + } + } else { + $user = "root" + } + service { "saslauthd": ensure => running, enable => true,