Version 3 (modified by thomas, 11 years ago) (diff)


Puppet Tweaks

selinux httpd module

Using puppet server with passenger will require some selinux hacks since puppet will effectively be running as apache.

Here is what we have so far...


require {
	type httpd_t;
	type puppet_var_lib_t;
	type puppet_var_run_t;
	type puppet_log_t;
	type puppet_port_t;
	type lib_t;
	type httpd_tmp_t;
	type port_t;

allow httpd_t puppet_var_lib_t:dir rw_dir_perms;
allow httpd_t puppet_var_lib_t:file manage_file_perms;
allow httpd_t puppet_var_run_t:dir {search getattr};
allow httpd_t puppet_log_t:dir rw_dir_perms;
allow httpd_t puppet_log_t:file rw_file_perms;
allow httpd_t puppet_log_t:file create_file_perms;
allow httpd_t puppet_log_t:file setattr;
allow httpd_t puppet_port_t:tcp_socket name_bind;
allow httpd_t lib_t:file execute_no_trans;
allow httpd_t httpd_tmp_t:sock_file rw_sock_file_perms;
allow httpd_t httpd_tmp_t:sock_file {create unlink setattr};
allow httpd_t self:capability { fowner fsetid sys_ptrace };
allow httpd_t port_t:udp_socket name_bind;

Install selinux-policy to get /usr/share/selinux/devel directory, make a file in that directory called httpd-puppet.te

Then make the module

[root@server devel]# make httpd-puppet.pp
Compiling targeted httpd-puppet module
/usr/bin/checkmodule:  loading policy configuration from tmp/httpd-puppet.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/httpd-puppet.mod
Creating targeted httpd-puppet.pp policy package
rm tmp/httpd-puppet.mod tmp/httpd-puppet.mod.fc
[root@server devel]#