Securing /etc/puppet on CentOS

I’ve recently delved in to the world of Puppet to manage some CentOS servers. In the process I noticed something. The /etc/puppet directory is owned by root:root but puppet runs as the user puppet. What does this mean? A couple of things:

  • To edit the manifests or modules I either have to be root or constantly be typing sudo (annoying).
  • For the puppetmaster process, which runs as puppet:puppet to access the files, the manifest and modules must be world readable.  This means a lot of information is visible to the world, encrypted or not.
  • I can’t use my favorite editor to edit files over ssh. (I know, a personal gripe, but valid in my books.)

So I’m trying an experiment that I hope will secure the data a bit more and make editing the files more hastle free.

  • Recursively changed the group of /etc/puppet to puppet.
  • Put myself in the puppet group.  I can now edit the files without being root.  (See newgrp(1).)
  • I’ll slowly begin to set the Other permission bits to 0, hiding the files and their contents from prying eyes.




The minimum set of fonts required for RHEL/CentOS 6

You try and keep X11 off your servers, but sometimes there is that one application.  If it’s a RHEL/CentOS application there is a good chance you can get away with installing only two fonts.

yum install dejavu-sans-fonts dejavu-serif-fonts

Note: It is possible other packages will be installed as dependencies.

Getting Corosync networking to work with SELinux

The Following are the steps necessary to get Corosync UPD networking to work with SELinux enabled.

Update: If you use port numbers 5404 and 5405, you will not need to perform any of the steps listed below.  These are the ports used by RedHat’s Cluster Suite and are configured in the latest selinux-policy packages (as of 2013/05/23) to allow heartbeat and corosync to bind to them.

The Setup:

  • CentOS 6.3
  • SElinux is enabled
  • Corosync is configured to use UDP port 5000

1. Install the semanage tool.

yum install policycoreutils-python

2. Determine the ports to allow.

Corosync uses two UPD ports, one for sending and a second for receiving.  In the corosync.conf file you only specify one of the two.  The second port is the specified port -1.  So if you’re using port 5000, the second port is 4999.

3. Add the two ports to the netsupport_port_t SELinux type.

semanage port -a -t netsupport_port_t -p udp 4999
semanage port -a -t netsupport_port_t -p udp 5000

4. Restart corosync

Even though we updated SELinux, a running corosync process is still running under the old rules.  Restarting corosync will create a new corosync process running with the updated SELinux rules.


Edit 2012.7.20 Fixed port numbers.



Redhat Announces Red Hat Enterprise 6 Now Available

At a press conference today, Red Hat announced the availability of the latest version of their enterprise server, Red Hat Enterprise Server 6.  You can read the full press release at