Last active
August 29, 2015 14:08
-
-
Save vinzent/18ed6d6476273dd4e65c to your computer and use it in GitHub Desktop.
SELinux, Puppet (PupetLabs Open-Source) and Passenger (EPEL) on RHEL6
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Environment: RHEL6 with Passenger from EPEL and Puppet Open-source from yum.puppetlabs.com | |
| # Howto compile: | |
| # yum install checkpolicy | |
| # checkmodule -M -m -o local_puppet_passenger.mod local_puppet_passenger.te && | |
| # semodule_package -o local_puppet_passenger.pp -m local_puppet_passenger.mod && | |
| # semodule --install local_puppet_passenger.pp | |
| module local_puppet_passenger 2.17; | |
| require { | |
| type puppetmaster_t, puppetmaster_exec_t, passenger_t, passenger_var_run_t; | |
| type passenger_tmp_t; | |
| type httpd_t; | |
| type devpts_t; | |
| type locale_t; | |
| type transproxy_port_t; | |
| type puppet_etc_t; | |
| type iptables_exec_t; | |
| class process { transition sigkill }; | |
| class file { execute read getattr open write execute_no_trans } ; | |
| class unix_stream_socket { getattr accept read write }; | |
| class dir { getattr search write add_name remove_name }; | |
| class sock_file { create unlink setattr write }; | |
| class fifo_file { write }; | |
| class tcp_socket { name_connect }; | |
| } | |
| #============= puppetmaster_t ============== | |
| allow puppetmaster_t passenger_t:unix_stream_socket { getattr accept read write }; | |
| allow puppetmaster_t passenger_var_run_t:dir { getattr search write add_name remove_name }; | |
| allow puppetmaster_t passenger_var_run_t:sock_file { create unlink setattr }; | |
| allow puppetmaster_t passenger_tmp_t:dir { search write remove_name getattr add_name }; | |
| allow puppetmaster_t passenger_tmp_t:file { getattr read write }; | |
| allow puppetmaster_t passenger_tmp_t:sock_file { create write unlink setattr }; | |
| allow puppetmaster_t transproxy_port_t:tcp_socket name_connect; | |
| allow puppetmaster_t iptables_exec_t:file { getattr execute execute_no_trans read execute open }; | |
| # allow execution of config_version script | |
| # (/var/lib/puppet/environments/production/bin/get_environment_commit) | |
| # my environments are in /var/lib/puppet/environments/* | |
| # needs also fcontext: semanage fcontext -a -t puppet_etc_t "/var/lib/puppet/environments(/.*)?" | |
| allow puppetmaster_t puppet_etc_t:file { execute execute_no_trans }; | |
| #============= httpd_t ============== | |
| allow httpd_t passenger_tmp_t:sock_file write; | |
| #============= passenger_t ============== | |
| allow passenger_t devpts_t:dir search; | |
| allow passenger_t locale_t:dir search; | |
| allow passenger_t locale_t:file { read getattr open }; | |
| allow passenger_t puppetmaster_t:process sigkill; | |
| allow passenger_t puppetmaster_t:fifo_file write; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # use for selinux type transition | |
| # save as: /usr/share/puppet/rack/puppetmaster-ruby | |
| # make executable: chmod +x /usr/share/puppet/rack/puppetmaster-ruby | |
| # change selinux type: semanage fcontext -a -t puppetmaster_exec_t /usr/share/puppet/rack/puppetmaster-ruby && restorecon /usr/share/puppet/rack/puppetmaster-ruby | |
| # Set PassengerRuby in Passenger Config (default: /etc/httpd/conf.d/passenger.conf) to /usr/share/puppet/rack/puppetmaster-ruby | |
| exec /usr/bin/ruby $* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment