1puppetmaster_selinux(8) SELinux Policy puppetmaster puppetmaster_selinux(8)
2
3
4
6 puppetmaster_selinux - Security Enhanced Linux Policy for the puppet‐
7 master processes
8
10 Security-Enhanced Linux secures the puppetmaster processes via flexible
11 mandatory access control.
12
13 The puppetmaster processes execute with the puppetmaster_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep puppetmaster_t
20
21
22
24 The puppetmaster_t SELinux type can be entered via the puppetmas‐
25 ter_exec_t file type.
26
27 The default entrypoint paths for the puppetmaster_t domain are the fol‐
28 lowing:
29
30 /usr/bin/puppetmasterd, /usr/sbin/puppetmasterd, /usr/bin/start-puppet-
31 master
32
34 SELinux defines process types (domains) for each process running on the
35 system
36
37 You can see the context of a process using the -Z option to ps
38
39 Policy governs the access confined processes have to files. SELinux
40 puppetmaster policy is very flexible allowing users to setup their pup‐
41 petmaster processes in as secure a method as possible.
42
43 The following process types are defined for puppetmaster:
44
45 puppetmaster_t
46
47 Note: semanage permissive -a puppetmaster_t can be used to make the
48 process type puppetmaster_t permissive. SELinux does not deny access to
49 permissive process types, but the AVC (SELinux denials) messages are
50 still generated.
51
52
54 SELinux policy is customizable based on least access required. puppet‐
55 master policy is extremely flexible and has several booleans that allow
56 you to manipulate the policy and run puppetmaster with the tightest
57 access possible.
58
59
60
61 If you want to allow Puppet master to use connect to MySQL and Post‐
62 greSQL database, you must turn on the puppetmaster_use_db boolean. Dis‐
63 abled by default.
64
65 setsebool -P puppetmaster_use_db 1
66
67
68
69 If you want to allow all domains to execute in fips_mode, you must turn
70 on the fips_mode boolean. Enabled by default.
71
72 setsebool -P fips_mode 1
73
74
75
77 The SELinux process type puppetmaster_t can manage files labeled with
78 the following file types. The paths listed are the default paths for
79 these file types. Note the processes UID still need to have DAC per‐
80 missions.
81
82 cluster_conf_t
83
84 /etc/cluster(/.*)?
85
86 cluster_var_lib_t
87
88 /var/lib/pcsd(/.*)?
89 /var/lib/cluster(/.*)?
90 /var/lib/openais(/.*)?
91 /var/lib/pengine(/.*)?
92 /var/lib/corosync(/.*)?
93 /usr/lib/heartbeat(/.*)?
94 /var/lib/heartbeat(/.*)?
95 /var/lib/pacemaker(/.*)?
96
97 cluster_var_run_t
98
99 /var/run/crm(/.*)?
100 /var/run/cman_.*
101 /var/run/rsctmp(/.*)?
102 /var/run/aisexec.*
103 /var/run/heartbeat(/.*)?
104 /var/run/corosync-qnetd(/.*)?
105 /var/run/corosync-qdevice(/.*)?
106 /var/run/corosync.pid
107 /var/run/cpglockd.pid
108 /var/run/rgmanager.pid
109 /var/run/cluster/rgmanager.sk
110
111 puppet_log_t
112
113 /var/log/puppet(/.*)?
114
115 puppet_var_lib_t
116
117 /var/lib/puppet(/.*)?
118
119 puppet_var_run_t
120
121 /var/run/puppet(/.*)?
122
123 root_t
124
125 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
126 /
127 /initrd
128
129 security_t
130
131 /selinux
132
133
135 SELinux requires files to have an extended attribute to define the file
136 type.
137
138 You can see the context of a file using the -Z option to ls
139
140 Policy governs the access confined processes have to these files.
141 SELinux puppetmaster policy is very flexible allowing users to setup
142 their puppetmaster processes in as secure a method as possible.
143
144 STANDARD FILE CONTEXT
145
146 SELinux defines the file context types for the puppetmaster, if you
147 wanted to store files with these types in a diffent paths, you need to
148 execute the semanage command to sepecify alternate labeling and then
149 use restorecon to put the labels on disk.
150
151 semanage fcontext -a -t puppetmaster_tmp_t '/srv/mypuppetmaster_con‐
152 tent(/.*)?'
153 restorecon -R -v /srv/mypuppetmaster_content
154
155 Note: SELinux often uses regular expressions to specify labels that
156 match multiple files.
157
158 The following file types are defined for puppetmaster:
159
160
161
162 puppetmaster_exec_t
163
164 - Set files with the puppetmaster_exec_t type, if you want to transi‐
165 tion an executable to the puppetmaster_t domain.
166
167
168 Paths:
169 /usr/bin/puppetmasterd, /usr/sbin/puppetmasterd, /usr/bin/start-
170 puppet-master
171
172
173 puppetmaster_initrc_exec_t
174
175 - Set files with the puppetmaster_initrc_exec_t type, if you want to
176 transition an executable to the puppetmaster_initrc_t domain.
177
178
179
180 puppetmaster_tmp_t
181
182 - Set files with the puppetmaster_tmp_t type, if you want to store pup‐
183 petmaster temporary files in the /tmp directories.
184
185
186
187 Note: File context can be temporarily modified with the chcon command.
188 If you want to permanently change the file context you need to use the
189 semanage fcontext command. This will modify the SELinux labeling data‐
190 base. You will need to use restorecon to apply the labels.
191
192
194 semanage fcontext can also be used to manipulate default file context
195 mappings.
196
197 semanage permissive can also be used to manipulate whether or not a
198 process type is permissive.
199
200 semanage module can also be used to enable/disable/install/remove pol‐
201 icy modules.
202
203 semanage boolean can also be used to manipulate the booleans
204
205
206 system-config-selinux is a GUI tool available to customize SELinux pol‐
207 icy settings.
208
209
211 This manual page was auto-generated using sepolicy manpage .
212
213
215 selinux(8), puppetmaster(8), semanage(8), restorecon(8), chcon(1),
216 sepolicy(8), setsebool(8)
217
218
219
220puppetmaster 21-03-26 puppetmaster_selinux(8)